April 1, 2020
Office 365 App Passwords and Multi-Factor Authentication: Complete Overview
Using a username and a password as login is a classic method of authentication. It is convenient, popular and reliable. However, the security of an account is only as strong as its password. Add to that software vulnerabilities and user resilience to social engineering tricks and phishing attacks. If a single password meeting Office 365 password requirements is not enough to protect your account or accounts of users in your organization, consider using multi-factor authentication, which is supported by Microsoft Office 365. Some companies use multi-factor authentication by default in accordance with their security policy. This blog post explains what multi-factor authentication is, and how to use it in Office 365 and Office 365 app passwords.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) is a method to confirm the identity of a user by requiring multiple credentials before authorization and before providing access to a website, application or other resources. With two-factor authentication, first, a user has to enter information that only they know. Second, they have to confirm their identity by providing additional information that can only be accessed by them, for example, a confirmation call, SMS code, USB key, fingerprint, face image, etc. Generally, the types of information used by MFA can be classified into tree types:
- Knowledge – something you know (a password, pin code, etc.)
- Possession – something you have (a cell phone, USB key, smart card, token, etc.)
- Inheritance – something you are (biometric data such as fingerprint, your eye, your face, etc.)
By using MFA, a system can ensure that it is the real user who is entering the username and password and not a person with bad intentions who has compromised a user account by stealing the username and password. MFA is highly recommended for internet banking. However, if the information in your Office 365 documents and your Office 365 email account is very important to you, you can also configure MFA for Office 365.
Sometimes two-step authentication, which is a subset of multi-factor authentication, and two-step verification are mixed up (and cause confusion). Two-step verification is a method to confirm your identity by using something that only you know, for example, a password, and adding one additional step before being granted access. Such authentication always uses something only you know as the first step, and a combination of something you have and something you are is never used, unlike two-factor authentication.
Although both are used for similar purposes, two-factor authentication requires elements under different categories (for example, something you know and something you have) and two-step verification requires two elements of one category (for example, two keys, two passwords etc).
Using multi-factor authentication and two-step verification may be inconvenient. For example, you may forget to take your phone with you or you may lose your phone, making authentication more complicated.
Types of MFA for Office 365
Office 365 offers three main types of MFA:
- Authentication phone: SMS or call
- Office phone
- Mobile app: Receive notifications for verification or use verification code
How to Enable MFA for Your Office 365 Account
If you use Office 365 in your organization, MFA must be enabled for the organization or for separate users who need this option. After that a user can set up the multifactor authentication for the Office 365 account.
Go to the web page to authenticate in Office 365: https://login.microsoftonline.com
Log in as Administrator to Office 365.
Go to Office 365 Admin Portal by selecting the Admin icon or by entering the web address in the address bar of your web browser manually: https://admin.microsoft.com/Adminportal/
In the left pane of Microsoft 365 admin center, click Active users. In the list that opens, select the account for which you want to configure two-factor authentication. In this example we will configure Office 365 MFA for Michael Bose.
Let’s select Michael Bose. In the account options that open, click Manage multifactor authentication in the Account tab.
In the new screen that opens, a list of Microsoft Office 365 accounts appears. The accounts are organized in a table with three columns: Display Name, User Name and Multi-Factor Auth Status. As you can see on the screenshot below, by default the MFA status is “Disabled” for all accounts. Let’s enable MFA for one user.
Select the required account again (Michael Bose in this case), select the appropriate checkbox at the user name and click Enable.
The “About enabling multi-factor auth” pop-up message is displayed:
If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup
Copy and save this link. You will need to provide this link to users to finish configuring MFA for Office 365.
A user for whom the admin has enabled MFA must log into Office 365 by using the web address https://login.microsoftonline.com. Note that the step-by-step guide below describes the actions taken by the user, not by the admin who has configured MFA.
Open the security verification page by using the link https://aka.ms/MFASetup (that you have saved earlier).
Provide the correct information in a few steps.
Step 1: How should we contact you?
In the drop-down menu you can select:
- Authentication phone
- Office phone
- Mobile app
Let’s select Authentication phone. You have to enter a valid cell phone number and select the second factor authentication method:
- Send me a code by text message
- Call me
If you select to send a code by text message (SMS) or by calling you, you may be charged according to your mobile operator rates. Let’s select the first option (Send me a code by text message). Hit Next.
Wait for a few seconds.
Step 2: We’ve sent a text message to your phone.
You will receive a verification code via SMS to your cell phone. Enter that code in the appropriate field as shown on the screenshot below. Click Verify.
Wait for a while until verification is complete.
If verification is successful, hit Done and you will be redirected to the Office 365 login page. A verification code will now be sent to your cell phone via SMS. Enter that code in the appropriate field as shown on the screenshot. Hit Verify to sign in.
Note: If you selected the Call me option, usually you should answer the call and press the # sign.
Now Office 365 multi-factor authentication is configured and you can use it each time after entering your username and password. You are redirected to the page with additional security verification options where you can modify the settings. Don’t forget to take your phone and don’t lose your phone to be able to pass Office 365 authentication successfully.
Office 365 App Password
What is app password in Office 365? This is a special code that allows you to access your Office 365 account and Office 365 applications. It is related to Azure multi-factor authentication configuration. You should separately generate app specific passwords for each device that you use to access Office 365 applications, but the same Office 365 app password can be used on the same device. Office 365 app password is the alternative to multi-factor authentication for applications that cannot natively support MFA and for non-browser applications.
Click your avatar or user icon in the right top corner and then click the My account option. In the Security & privacy menu find the Additional security verification option. Click Create and manage app passwords.
To make this option available, sign into the Azure portal and check the Multi-factor authentication settings page. Select the radio button “Allow users to create app passwords”.
In the account options, select App password and click Create to create Office 365 app password.
Enter the name for Office 365 app password, for example, Outlook365. Copy the generated password to the clipboard and save it in a safe place or write down the Office 365 password manually. You can remember the Office 365 app password if you wish.
After you generate app specific passwords, you can apply them to Office 365 applications such as Outlook to log in.
Multi-factor authentication and Office 365 app passwords are additional security options for authentication. Multi-factor authentication improves security but takes additional steps to authenticate. Use MFA when you are not sure that using a username/password pair is enough for you in terms of security. You can generate Office 365 app passwords if for some reason you don’t trust the classic username/password authentication method and if native multi-factor authentication methods cannot be applied in your situation. However, even if your security configuration is strict, having a backup is always a good idea. Consider Office 365 backup to protect your data from loss brought about by different causes.