Multi-Factor Authentication for Office 365

Microsoft just recently announced the release of Multi-Factor Authentication for Office 365 to midsize business, enterprise plans, academics, nonprofits, and standalone Office 365 plans to include Exchange Online and SharePoint Online. This release will allow those with these subscriptions to enable multi-factor authentication for their Office 365 users without additional costs, fees or subscriptions. Multi-Factor Authentication is powered by Windows Azure Multi-Factor Authentication and works directly with Office 365 applications and is managed by the Office 365 portal. Multi-Factor Authentication increases security for Cloud services beyond a single password. By adding this layer of security, users have to respond to or acknowledge a text, call, or other type of notification after entering their password. This layer of protection helps guard user accounts against password cracking and guessing attempts. If someone successfully manages to enter a correct password, they are still required to enter a second form of authentication in order to sign in. Administrators have been able to use the multi-factor authentication since June last year. App Passwords are a capability that has been available to admins since June as well and are part of the enhanced capabilities Microsoft is adding so users can authenticate their login from Office desktop apps. Users who are authenticating from federated on-premises directories are now enabled for multi-factor authentication as well. Security is always a concern with the growing number of threats by hackers, spyware, viruses, and other factors that can cripple a network or cause malicious damage to a user account, and is a large part of what drove the addition of multi-factor authentication to Office 365. Through this extra layer of authentication, Office 365 offers a robust security feature that is built in for all users plus some optional controls that enable customization of security preferences. Upon initial entering of an Office 365 password, a user will receive a phone call sent to their mobile phone which must be answered as it will provide additional login information in order to complete the login process. Users have the choice of using other verification options such as a text message for this secondary login information. Administrators can establish multi-factor authentication for users through the Office 365 admin center. Admins can go to the “users and groups” section on the left hand side of the admin center, select “active users”, and set multi-factor authentication requirements from there. After users have multi-factor authentication enabled on their account they will have to establish a second means of authenticating themselves the next time they login. Each login after that will require the method they select as the second layer of authentication. Options for the second layer of authentication include: Call my mobile phone, Text code to my mobile phone, Call my office phone, Notify me through app, and Show one-time code in app. The apps are available for smartphones and once users set that notification they will have to start the app and enter a six-digit code from the app into the portal. Once users are enrolled for this authentication they will have to set App Passwords in order to use the Outlook, Lync, Word, Excel, PowerPoint, and SkyDrive Pro apps, otherwise they will not be able to access them. App passwords are strong passwords instead of the second authentication layer and are generally 16 characters in length and are randomly created.  This additional layer of security may sound tedious but it provides peace of mind knowing the additional layer of security will protect against break-ins to their account. With the recent events such as the breach of a major retail store’s credit card information, one cannot be too protected against attacks. Future developments by Microsoft in multi-factor authentication include smart card certificates in which a user will have a physical card with an embedded smart chip used to authenticate a user by prompting for a PIN. Smart cards are used by the US government and are issued to all active duty soldiers, civilian workers, and contractors in order to gain access to government systems. Microsoft already has plans to work with the U.S. Department of Defense with the Common Access Cards already in place. The same principle will now apply to corporate and private industry. Though in its early stages of development by Microsoft, smart card certificates will be one of the first physical media users will have for authentication into their Office 365 accounts and should protect them as they would a credit card. PINs for smarts are typically 8 to 10 numbers; Microsoft may reduce or add the number of digits required for their smart cards upon release to users and administrators. Office 365 users will be able to use multi-factor authentication directly from Office 365 client applications as part of Microsoft’s next move in authentication. Microsoft plans to add native multi-factor authentication for Office 365 applications later this year. This will include current phone-based authentication and add capabilities to other forms of authentication such as third party multi-factor authentication.