What you should know about O365 two-factor authentication

Securing the login process to a popular SaaS application, like Office 365 (O365), can be confusing when you have so many options, some of which are out-of-the-box. To help you understand the essentials, here is a summary of what you need to know.

Two-factor authentication (2FA) requires the use of something you know (e.g. password or pin) as the first factor. The second factor can fall in either the something you have or something you are category. Most authentication vendors offer something you have (commonly via a one-time SMS code) as a second factor.

Microsoft offers 2FA for O365 with an O365 license, a premium Azure AD plan, or a pay-as-you-use type of model.

What is included in O365 2FA

O365 2FA supports password as the first factor plus something you have – mobile phone. For the most common use case, O365/Azure AD MFA offers the following options as the second factor:

• SMS mobile verification code
• Phone call
• Mobile OTP application

You can use third party authenticators as the second factor only if you deploy an MFA server and configure ADFS.

SMS as the second factor

Many IT departments are hesitant to implement a multi-factor authentication solution due to the impact it can have on the user experience. IT departments tend to follow the path of least resistance, using SMS verification as the second factor is the most familiar to users.

The problem with SMS verification is that text messages can be intercepted. Reddit was breached this past June due to their employees’ use of two-factor authentication with SMS verification as the second factor. Essentially hackers gained access to user emails, source code, and internal files including a 2007 database backup containing user passwords and other account details.

Third-party MFA for O365

Turning on multi-factor authentication for O365 should be a priority, as the enormously popular application has become a primary target for hackers. That does not mean you have to go with what Microsoft offers. When evaluating O365 MFA look for solutions that:

• Goes beyond phone based options
• Supports 3^rd party MFA out of the box
• Provides users with fail over options
• Removes password as the first factor (if desired)