Flexible Security For Your Peace of Mind

Table of Contents

Free Active Directory Auditing Tool

Try it now

What you should know about O365 two-factor authentication

Table of Contents

Securing the login process to a popular SaaS application, like Office 365 (O365), can be confusing when you have so many options, some of which are out-of-the-box. To help you understand the essentials, here is a summary of what you need to know.

Two-factor authentication (2FA) requires the use of something you know (e.g. password or pin) as the first factor. The second factor can fall in either the something you have or something you are category. Most authentication vendors offer something you have (commonly via a one-time SMS code) as a second factor.

Microsoft offers 2FA for O365 with an O365 license, a premium Azure AD plan, or a pay-as-you-use type of model.

What is included in O365 2FA

O365 2FA supports password as the first factor plus something you have – mobile phone. For the most common use case, O365/Azure AD MFA offers the following options as the second factor:

  • SMS mobile verification code
  • Phone call
  • Mobile OTP application

You can use third party authenticators as the second factor only if you deploy an MFA server and configure ADFS.

SMS as the second factor

Many IT departments are hesitant to implement a multi-factor authentication solution due to the impact it can have on the user experience. IT departments tend to follow the path of least resistance, using SMS verification as the second factor is the most familiar to users.

The problem with SMS verification is that text messages can be intercepted. Reddit was breached this past June due to their employees’ use of two-factor authentication with SMS verification as the second factor. Essentially hackers gained access to user emails, source code, and internal files including a 2007 database backup containing user passwords and other account details.

Third-party MFA for O365

Turning on multi-factor authentication for O365 should be a priority, as the enormously popular application has become a primary target for hackers. That does not mean you have to go with what Microsoft offers. When evaluating O365 MFA look for solutions that:

  • Goes beyond phone based options
  • Supports 3rd party MFA out of the box
  • Provides users with fail over options
  • Removes password as the first factor (if desired)

(Last updated on September 26, 2025)

Back to Blog

Related Articles

  • MFA vs. 2FA – why the difference matters for your O365 implementation

    When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.

    Read More
  • Specops secures O365 password resets with MFA

    Stockholm, Sweden – November 14, 2018. Specops Software announced today a new release of Specops Authentication for Office 365 (O365). The release introduces self-service password reset functionality by using the common dynamic multi-factor authentication (MFA) engine. The release also introduces Efos for SITHs cards in Sweden, fail over capability, and new languages to the user interface…

    Read More
  • User management and authentication for O365: Microsoft or 3rd party?

    Office 365 (O365) adoption is continuing across organizations, now with more than 100 million active users. These organizations will reap the benefits of a cloud service – freed up internal resources, and easy access to updates with minimal maintenance – but, they can’t ignore the inevitable complications of hybrid identities. Whether using the cloud, synchronized,…

    Read More

Free Active Directory Auditing Tool!

Try it now

© 2025 Specops Software. All rights reserved.

This website uses cookies to ensure you get the best experience on our website. Learn more

Got It!