Microsoft Uses Multi-Factor Authentication to Add Security to Office 365
Multi-Factor Authentication (MFA) is an added level of security over your familiar username and password. In the MFA model, after you provide your username and password, you are also asked to provide another verification code. That code is randomly generated and sent to you at the time of the login transaction. The code can also be generated by an application on your smartphone, PC, or a small device you carry with you – also known as a “fob.”
For O365, Microsoft recently announced that Multi-Factor Authentication is now included free of charge with the Midsize Business and Enterprise plans, so there is no price obstacle to using it. With MFA, not only is your mailbox protected with extra security but also all other services and content requiring your username and password.
In Microsoft’s implementation, you can choose how the second factor is delivered:
- Smartphone app (Windows Phone, iOS, Android)
- Text message
- Voice call
I have used all three and have settled on the smartphone app on my iPhone. With that model, the app ‘wakes up’ automatically when I log in to O365. I just need to tap the “confirm” button to complete the log in. With the text message model, a six digit code is sent to your phone and you have to type that into the web page for log in. The voice call model surprised me because I thought it would speak six digits to me, but it actually only needed a press of the pound (#) key.
That is good for the web access – anything you would use with a web browser. The other applications – Outlook Desktop, Lync, ActiveSync (smartphone e-mail), Word, Excel, PowerPoint, and OneDrive – need a new, special password called the App password. That is a 16-character, randomly generated string that you use instead of your usual password. The App password is not usually easy to remember, so the best practice is to configure those apps when you first get the App password and click the “Remember my credentials” box. Once set, the application behaves as usual. And these App passwords are durable – they do not expire and they still work even if you change your regular password. You are able to manage your App password, and you can delete it and create a new one. You can also have several App passwords at the same time. Microsoft recommends creating one for each device you use. Then, if a device goes missing, you can just delete the App password for that device and it can not be used to access your data.
From an administrative perspective, it is really easy to enable or disable MFA for a given user. That is important if someone loses a device and needs to get into the system. In that case, the administrator can just disable MFA for that one individual and then that person is back to the original username/password model. However, if you have a lot of users, browsing the list to get to the desired entry can be tedious because there is no search function in the MFA setup page. L But, there is a “Bulk Load” function that uses a CSV file to operate on the user accounts. It looks like this:
The “Username” is the User Principal Name (UPN) for the account. So, with the Bulk Load file you can quickly operate on a set of users without browsing through the directory to find and change them. With this function, you can turn on MFA for specific groups at a time – starting with IT personnel, for instance.
Microsoft has a great short video on MFA that shows the setup steps for both administrators and users. Find it at http://channel9.msdn.com/posts/Multi-Factor-Account-Setup
One caution: users with administrator rights in O365 can not use app passwords with MFA. So, if you MFA enable an administrator account, it will lose access to those applications mentioned above. Proceed with caution!
Once enabled, the user experience is only a bit different from the username/password model. The App or text message second factor methods become familiar and routine very quickly.
So, give it a shot! It is great extra protection for your O365 assets 🙂