How to use programmable OATH tokens to replace authenticator apps

This guide explains how to use the programmable OATH TOTP tokens from Microcosm as a drop-in replacement for the Microsoft Authenticator app in Office 365 and Azure AD MFA (without P1/P2 licence).

The process described here is applicable to other MFA environments that use a smartphone authenticator app for generating a TOTP code, provided that they generate a compatible QR code at enrollment time. The burner app will warn you if you scan an incompatible QR code.

Steps

Install the Microcosm OTP Burner app from Google Play on an NFC-enabled Android smartphone.

This app is only required for the enrollment process and can be performed by an IT admin. Subsequent user logins will require only the TOTP hardware token.
In Office 365 or Azure AD MFA navigate to the MFA setup page and add the the Authenticator app as an authentication method.
When prompted to get the Microsoft Authenticator app click I want to use a different authenticator app.
Then click Next - you should see a screen displaying a QR code.
Open the Microcosm Burner app on your smartphone and choose the Scan a QR Code option.
Scan the QR code using the app.

The app will then wait for you to present a programmable OTP token.
Press the button on your OTP token to turn it on. Now place the token in the NFC detection area of your smartphone. The NFC detection area is usually on the back of the device.
The app will detect the token and program the seed into it.
On Office 365 or Azure AD MFA click Next to perform the OTP verification. The OTP verification step will require you to enter the code shown on your OTP hardware token. Type in the 6-digit code and click Next to complete the process.