The Right To Authenticate: Microsoft Offers Free Multifactor Authentication to Office 365 Users

Yesterday, Microsoft announced that it will be offering multifactor authentication to Office 365 users. Organizations with the Midsize Business, Enterprise, Academic, Nonprofit and standalone Office 365 subscriptions will now have the option of better than password protection for free. That is: no additional cost in terms of subscriptions or products.

Commonly referred to as two-step authentication, the added feature will allow for an extra layer of security to be applied to the sign in process. Generally in the “what I have” vein of authentication, this type of multifactor security leverages a smartphone interaction as a second lock after the password is correctly entered on the Office 365 end of the transaction. A phone call, text message or in-app interaction is beamed at the user who has to successfully respond to the login prompt.

The idea is that is an Office 365 account is to be successfully broken into, cracking the password simply is not enough, a user’s smartphone must provide the final step in the process. Add in biometric factors on the second step and proper MDM practices that can lock or wipe compromised phones and what you have is the equivalent of a bank vault where there once was just a wooden door with a flimsy chain.

“This addition of multi-factor authentication is part of our ongoing effort to enhance security for Office 365, and we’re already working on Office desktop application improvements to Multi-Factor Authentication for Office 365,” wrote Paul Andrew – an identity-focused technical product manager on the Office 365 team – in a blog post on the Microsoft Office website explaining the new feature.

“Multi-factor authentication has been available for Office 365 administrative roles since June 2013, and today we’re extending this capability to any Office 365 user,” he explains. “We’re also enhancing the capabilities that have been available since June. We’re adding App Passwords for users so they can authenticate from Office desktop applications as these are not yet updated to enable multi-factor authentication. And we’re enabling users who are authenticated from a federated on-premises directory to be enabled for multi-factor authentication.”

After going through the process of signing users up for multifactor (a relatively simple administrative process) Andrew closes with an update on Microsoft’s authentication plans.

“We’re planning to add native multi-factor authentication for applications such as Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and OneDrive for Business, with a release date planned for later in 2014. This update includes the current phone-based multi-factor authentication, and it adds capability to integrate other forms of authentication such as: third-party multi-factor authentication solutions and smart cards. Smart card support is planned to include the U.S. Department of Defense (DoD) Common Access Card (CAC) and the U.S. Federal Personal Identity Verification card (PIV), among others.”

In late 2013, Microsoft joined the FIDO Alliance in a push for post-password security. The company has been very forthwith about its support of strong authentication. Offering this extra security free of charge is a good indication that Microsoft’s attitude is not that security is a luxury, but a digital right for its customers.