What you should know about O365 two-factor authentication

Securing the login process to a popular SaaS application, like Office 365 (O365), can be confusing when you have so many options, some of which are out-of-the-box. To help you understand the essentials, here is a summary of what you need to know.

Two-factor authentication (2FA) requires the use of something you know (e.g. password or pin) as the first factor. The second factor can fall in either the something you have or something you are category. Most authentication vendors offer something you have (commonly via a one-time SMS code) as a second factor.

Microsoft offers 2FA for O365 with an O365 license, a premium Azure AD plan, or a pay-as-you-use type of model.

What is included in O365 2FA

O365 2FA supports password as the first factor plus something you have – mobile phone. For the most common use case, O365/Azure AD MFA offers the following options as the second factor:

  • SMS mobile verification code
  • Phone call
  • Mobile OTP application

You can use third party authenticators as the second factor only if you deploy an MFA server and configure ADFS.

SMS as the second factor

Many IT departments are hesitant to implement a multi-factor authentication solution due to the impact it can have on the user experience. IT departments tend to follow the path of least resistance, using SMS verification as the second factor is the most familiar to users.

The problem with SMS verification is that text messages can be intercepted. Reddit was breached this past June due to their employees’ use of two-factor authentication with SMS verification as the second factor. Essentially hackers gained access to user emails, source code, and internal files including a 2007 database backup containing user passwords and other account details.

Third-party MFA for O365

Turning on multi-factor authentication for O365 should be a priority, as the enormously popular application has become a primary target for hackers. That does not mean you have to go with what Microsoft offers. When evaluating O365 MFA look for solutions that:

  • Goes beyond phone based options
  • Supports 3rd party MFA out of the box
  • Provides users with fail over options
  • Removes password as the first factor (if desired)

(Last updated on October 30, 2023)

Tags: ,

Back to Blog

Related Articles

  • MFA vs. 2FA – why the difference matters for your O365 implementation

    When it comes to protecting cloud applications such as O365, two-factor authentication (2FA) has some serious limitations. A dynamic MFA solution frees users from passwords, and secures the authentication process.

    Read More
  • Specops secures O365 password resets with MFA

    Stockholm, Sweden – November 14, 2018. Specops Software announced today a new release of Specops Authentication for Office 365 (O365). The release introduces self-service password reset functionality by using the common dynamic multi-factor authentication (MFA) engine. The release also introduces Efos for SITHs cards in Sweden, fail over capability, and new languages to the user interface…

    Read More
  • Why choose 3rd party MFA for O365?

    The adoption of SaaS services requires organizations to house user data in the cloud. Without the right strategy in place, this can mean user management and authentication processes – outside the confines of IT. Take the move to O365, and its creation of a tenant in Azure AD. Maintaining it alongside the on-premises Active Directory…

    Read More