Better login security for some Office 365 users.
Microsoft has expanded two factor authentication to more Office 365 users.
Called ‘multi-factor authentication’ is now available for Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online.
There’s no extra charge and the additional login method is optional.
What the?
OK – you want to know what the ??? ‘multi-factor authentication’ is? It’s one of those geeky phrases that’s sneaking into regular use with the assumption that everyone know what it means.
One Factor Authentication
You go to a web site like Office 365 and login with a name and password – simple. That’s ‘single factor authentication’ because there’s only one check of your identity.
Two factor authentication
This time you login with name/password – that’s correct so now you move to the second check that you are really you.
That’s done by sending a special one-time code (usually a short string of numbers or letters) to your phone (an automated call or text message) or sent to an app on your smartphone. You enter that code on the web site to finally gain access.
Quite likely you’ve already done a version of two factor authentication to access a bank web site. Google also offers two-factor authentication.
Multi-factor authentication
Microsoft seems to be calling their feature ‘multi-factor’ not because there’s a third or more check. Instead it appears to refer to the multiple methods of getting the second authentication code.
For Office 365 the methods are, quoting Microsoft:
- Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
- Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
- Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
- Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
- Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.
App Passwords
In addition there are App Passwords. These are passwords (16 character randomly generated) for Office desktop applications (Word, Excel, Outlook etc.) and smartphone applications. You enter the App Password instead of the standard Office 365 email/password combo.
At the moment, Office 2013 doesn’t support multi-factor authentication but it will ‘soon’. Possibly as part of the upcoming Office 2013 Service Pack?
An Office 365 administrator has to set up multi-factor authentication in the first place. Then users are prompted to provide additional information (like phone numbers).
From long and bitter experience we strongly recommend you setup multiple methods of getting the second passcode. Don’t assume you’ll always have the same phone or that phone is working. Have a backup phone number, install the smartphone app etc.
Like most additional security measures, multi-factor authentication has ups and downs. Yes, you get greater security … but it’s also time consuming. If there’s a problem then it can be a right PITA to get access.
For more info, go to the Microsoft blog while techies can head to MSDN .
