What is Two-Factor Authentication?

Two-Factor Authentication is sometimes called Multi-Factor Authentication, Two-Step Verification, or 2FA. But, no matter what you call it, it is an effective tool for fighting PHISHING, data loss and other malicious attacks.

Two factor authentication requires that a user present something they "have" in addition to something they "know" when signing on.

THE FIRST FACTOR:
The "something you know", is the way you've been logging in for years. It is typically just typing in your username and password. You hopefully have your password(s) memorized, not shared with others, and not written on a sticky note under your keybaord. But, with the rise of phishing attacks, data leaks, and general carelessness, just providing a username and password isn't enough to keep your services secure anymore.

THE SECOND FACTOR:
The “something you have” portion for authentication can bet many different things, but the most common one you’ve probably seen is getting a PIN code via txt message whenever you sign into your credit card’s website. Using txt messages as a 2nd factor is OK, but there are better and more secure options available too. Here are a few of the most common two-factor implementations:

• pin code via text message
• pin code via email
• a smart card like a Military CAC
• a physical token device that displays a generated code
• a software token installed as an application on another device

Each of these implementations has its strengths and weaknesses, so it is a good idea to speak with an IT professional about your requirements, but pin codes via txt and email are generally considered the weakest options. It has become really common for scammers to clone or even transfer ownership of phone numbers to get what they want (especially when bitcoin is involved). Using your email address may work for some services, but it doesn't work for access to your email account and isn't very good if your email isn't protected by two-factor itself. Physical devices are some of the strongest options, but software tokens on a mobile device could be a good compromise for your environment and needs.

Microsoft Office 365 allows you to use many industry compliant OAUTH mobile device applications for your second factor, but it integrates best with their own client called Microsoft Authenticator. It can be installed on your iOS, Android or Windows device. Once enabled, you simply log into Office 365 with your username and password and the Microsoft Authenticator app on your mobile phone will prompt you to allow the logon. If you didn’t try to logon, then you know that someone is trying to access your account and you can deny it. If you did try to logon, you simply tap approve and the site will continue with the logon process.

HOW DO I ENABLE 2FA?

We recommend enabling two-factor authentication for all of your logons and services that support it. Most common services like Gmail, Facebook, LinkedIN, Twitter, and more support it. But, we are going to focus on how to enable it in Microsoft Office 365 since we are a Microsoft partner and this is where we use it most often.

1. Ask your Office 365 administrator to enable two-factor functionality for your account.
2. Go to this link to begin the setup process: https://aka.ms/MFASetup
3. Log in with your office 365 username and password.
4. Change the dropdown option to “notify me through app” and check the “authenticator app” checkbox. You can also check authentication phone as a backup if you’d like, but keep in mind that text messages are nowhere near as secure as the authentication app.
   
5. Click the “configure” button next to the “authenticator app” option and a QR code should appear on your screen.
6. Go to your cell phone and download the “Microsoft Authenticator” app on your iOS, Android or Windows device.
   
7. Open the Microsoft Authenticator App on your phone.
8. Click the three dots in the top-right corner and choose “Add account”.
   
9. Choose “work or school” account.
10. Point your phone’s camera at the QR code still on your computer screen. It should automatically scan the code and display a six-digit code.
11. Go back to your computer and click next on the QR code window and provide the six-digit code when prompted.
12. Make sure you finish the wizard and save your new settings at the end.
    NOTE: *** Now you are setup for two factor authentication, but you must update Outlook and your cell phone with a single use password so they can bypass two factor authentication. ***
13. Go to https://account.activedirectory.windowsazure.com/AppPasswords.aspx on your computer.
14. Click the “create” button.
15. Enter the name of your device (i.e. Laptop, PC, etc.) and click next.
16. Copy or write down that password and use it when your Microsoft Outlook finally prompts you for a new password. It may take an hour or two before it prompts. Do not save this password anywhere after you have used it because saving it presents a security risk / a way around two-factor authentication.
17. Now repeat steps, 13-15, but call the next password “Phone” and use it when your cell phone eventually prompts you for a new password.

You can read more how Microsoft has implemented multi-factor authentication in Office 365 and Azure by going to https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks.