In my previous article, I went through some of the high-level reasons why you should (need!) to deploy MFA (Multi-Factor Authentication) in your personal life and your business life. Your email account is one of the prime attack vectors to expose yourself and your company to a breach. Password brute force attacks, website breaches (that share passwords or sophisticated spear phishing attacks can be mitigated by MFA.) That is not to say it is a panacea, but it is a great first step in protecting yourself.
Office 365’s management pages can be a bit daunting. There are many options available to enhance and secure your experience and data.
Let’s get started!
First, log in to Office 365 using the following link: https://login.microsoftonline.com.
Once logged in, you should see a page listing all available applications:
Go to your Name in the upper right hand corner (and hopefully your picture!)
Select “View Account”
You will then be brought to the My Account. Unfortunately there is no big “Turn on MFA” here so we have to dig in a bit but we are close.
Go to Security and Privacy:
Here is where the confusion starts. Click on “Additional Security Verification”:
If you do not see this link, your administrator has disabled Multi Factor Authentication for your organization.
Note from Tom: This means you administrator is a meathead, and you should be working with Valiant to have a more secure mail experience.
From here, you can activate and configure your MFA options for O365:
OK, decision time!
What is the best MFA mechanism? Office 365 natively provides the following:
Each option has its pros and cons. The US Government is recommends that you do not use text messages as they can too easily be intercepted and redirected.
I strongly recommend using either the “Notify me through the app” or “Use verification code from app” options. While they use the same application, each option functions slightly different from the rest.
Next, install the app on your Android, iOS, or Windows Mobile device.
Once the installation is complete, follow the instructions in the app to link it to your O365 account:
Click the “configure” button:
Once the proper links have been generated, you’ll be presented with the following screen:
Scan the QR code with your phone’s camera. If for some reason it does not work, you can use the code and URL provided.
Once the authenticator app is recognized and linked, you will see a 6 digit code in the app.
Now that your online access is secured, let’s secure the applications that are not necessarily MFA aware, but still need to be protected in the event of a breach or equipment loss. A good example of this is the ActiveSync client on your iPhone or Android device.
Below is how to set up these complex, single purpose passwords:
Click the “create button”
Specify a descriptive name for your password.
A random password string is then generated.
Next time, I’ll cover the same process for Google Apps.