Microsoft Turns On Multifactor Authentication For Office 365

SQL username password - Shutterstock: © hauhu

To minimise the risk of breaches, Microsoft turns on multifactor authentication for the user base of Office 365

Microsoft has tightened up the security for users of its Office 365 cloud service, after switching on multifactor authentication.

Redmond made the move in order to avoid the high-profile security breaches that have plagued rival cloud services, but also because Office 365 accounts are likely to contain sensitive corporate information.

Password Security

The security measure is no longer the exclusive domain of administrators, said Paul Andrew, an Office 365 technical product manager. “Multifactor authentication has been available for Office 365 administrative roles since June 2013, and today we’re extending this capability to any Office 365 user,” he wrote in a 10 February blog post.

password“Today, we’re adding Multi-Factor Authentication for Office 365 to Office 365 Midsize Business, Enterprise plans, Academic plans, Nonprofit plans, and standalone Office 365 plans, including Exchange Online and SharePoint Online,” said Andrew. The expansion “will allow organisations with these subscriptions to enable multifactor authentication for their Office 365 users without requiring any additional purchase or subscription.”

The move is part of a broader effort by the company to harden its cloud services slate. In June 2013, Microsoft announced that it was bringing multifactor authentication, based on technology from its PhoneFactor acquisition, to Windows Azure Active Directory (AD) services, enabling users to securely access their accounts with additional credentials supplied by an app or Short Message Service text.

Microsoft officially launched the new feature in September. Scott Guthrie, now the new cloud chief at Microsoft, said at the time in a statement that organisations could finally leverage multifactor authentication to provide an extra layer of security for “Windows Azure, Office 365, Intune, Dynamics CRM and any third-party cloud service that supports Windows Azure Active Directory,” plus custom applications.

Breach Risk

In recent years, online service providers have been rocked by breaches that have caused security-conscious enterprises to regard the cloud suspiciously.

Dropbox, a popular cloud storage company, rolled out two-step authentication in 2012 after a breach that made user data susceptible to snoops. Twitter followed suit in 2013 after major accounts had been hacked. Security researchers said the recent Yahoo Mail breach would have been a non-event for users had they switched on the service’s multifactor authentication options.

Microsoft is also looking to extend multifactor authentication to Office 365 client apps. Noting that users currently have a workaround by configuring App Passwords to secure their desktop apps, Andrew revealed that soon, “Office 365 customers will be able to use multifactor authentication directly from Office 2013 client applications.”

“We’re planning to add native multifactor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell and OneDrive for Business, with a release date planned for later in 2014,” he added. The update will supplement phone-based authentication with support for third-party solutions and smart cards that conform to the US Department of Defense Common Access Card (CAC) and US Federal Personal Identity Verification card (PIV) security standards.

Are you a security guru? Try our quiz!

Originally published on eWeek.