Multi-factor authentication (MFA) is a process whereby you have to present more than one type of information to gain access to a system or location. For example, to access a building you might have to show an identity card and enter a PIN number on a keypad. For multi-factor authentication with Office 365 you must enter a password and then a numerical code that can be obtained in a number of ways. Without both pieces of information, you simply will not be able to logon and use Office 365 if MFA is enabled for your account. In these examples, we are specifically talking about two-factor authentication. That phrase is often used interchangeably with multi-factor authentication, although the first is actually a subset of the latter.
Enabling multi-factor authentication is a simple mouse click in Office 365. You are free to enable it for all your user accounts or just some of them. You might, for example, choose to use it only for sensitive accounts related to HR and finance, or maybe you will require it only for those staff who administer the Office 365 service. It is important to contact your staff before you enable MFA on their account so that they know what to expect and what they must do in order to make use of it.
At the time of writing, the desktop versions of the Microsoft Office applications do not support multi-factor authentication. So if you use Outlook for email, or if you have the other office applications through an Office 365 subscription, then your Office 365 password will not work with those applications once MFA is enabled for your Office 365 account. Instead you will need to use what is called an “app password.” This password is generated for you by Office 365 and can be used to authenticate your Office 365 user name to those desktop applications. The concept of app passwords will require some education of end users. Here is a good place to gather more information about what is involved: http://technet.microsoft.com/library/en-us/dn270518#howapppassword
Once an Office 365 account has MFA enabled, the logon process will change. The next time a user logs on, he or she will be prompted to set up MFA for their account. For example, the user can enter a cell phone number where he wants to receive a security code that is sent each time he tries to log on (the code changes each time). After that, whenever he logs on to Office 365, he will first enter his user name and password and, if those are accepted, he will then be asked to enter a security code that has been sent to his phone. An example is shown below:
An assumption here is that the user will have his cell phone with him. If the cell phone is not available, then there are other options, assuming you have already configured them. When you set up MFA for your user account you can also specify a desk phone and an alternate cell phone that can also be used as methods of authentication if the primary cell phone is not available. This will require good end user education to encourage email users to set up these alternative authentication methods in the beginning. Users can also install the multi-factor authentication app for Office 365 on a Windows Phone, Android, or iOS device.
Using multi-factor authentication has the benefit of making Office 365 access more secure. It does require the user to take some steps, especially for the app passwords for the desktop versions of the Microsoft Office suite of software. However, if your users only access Office 365 through a web browser, then enabling multi-factor authentication will be relatively easy for end users as well as email administrators. Two-factor authentication is offered by many major web services and over time it will become the standard for secure access. New Signature has a wealth of experience and knowledge surrounding Office 365. If you are interested in learning more about multi-factor authentication then please give us a call. Now is a good time to set up a small trial to gain more experience with it.