Overview: No matter how strong your password is, it's still like having a single lever lock on your front door - you need a second or third layer for important data such as your emails, files and work tasks. MFA (Multi-Factor Authentication) protects your identity by challenging for further authentication when your attempts are made from new devices, web browsers or software apps. In addition to your password you may use a simple code sent to your mobile, a voice prompt on your desk-phone, or whatever features are supported on your mobile phone such as finger print, face ID, voice recognition or OTP (One-Time Pass code). Because these additional authentication prompts expire within 60 seconds, and require your mobile phone and office desk-phone, it makes it much harder for impersonators to log into your resources.

Legacy support: for apps that do not support MFA you can generate (and manage) "App Password". You can manage your entire MFA details here: https://aka.ms/MFASetup (An App Password can be created for things such as older email clients that only support IMAP and POP, or a device such as a printer that need to be able to send SMTP email). Whilst this is still a risk, it enables you to do benefit from the added protection of MFA and the legacy device does not need your real password - a throw-away password is randomly generated for each specific device.

STOP! Before you go any further, get the Microsoft Authenticator app

We recommend that you use MFA in conjunction with the Microsoft Authenticator app for iPhone and Android

Why do we recommend using the Microsoft Authenticator app? Convenience, and security. When challenged for additional authentication you can:

  • Tap your finger print on your phone
  • Look at your phone camera (face ID)
  • Speak a phrase to your phone (voice recognition)
  • Tap a simple "Approve" button on the screen

Can you still use MFA without the app? Yes. Without the app you can provide additional authentication as follows:

  • Receive a code via SMS
  • Receive a code via email to your alternate email address
  • Receive a voice prompt to your desk-phone (press the # key to approve)

If not already enabled, ask your Office 365 administrator to enable this feature for you and your co-workers. Once enabled, each user can self-maintain their MFA details and App Passwords here: https://aka.ms/MFASetup

Further reading

Implement the top 10 ways to secure your Office 365: https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide 

Download the free Harvard Kennedy Cyber Security handbook: https://www.belfercenter.org/sites/default/files/files/publication/CampaignPlaybook_0.pdf

SMTP email: use App Passwords

Need to support devices such as printers that send using SMTP? Microsoft have that covered via "App Passwords". Sign into Office 365 using an either the account that will be sending email or an account that has "Send As" permission in the shared mailbox that you want to send from. Now go to this link: https://account.activedirectory.windowsazure.com/AppPasswords.aspx

You create a unique password for each "app" (or device). All of the usual email settings remain as expected except the password (SMTP server: smtp.office.365.com on port 587; email address [user or shared mailbox]). For the password you use the "App Password" that you just created. Only 1 device or app is allowed to connect using that special password, which ensures that the account cannot be compromised via traditional SMPT password tactics. You are allowed to add up to 40 unique app passwords (1 for each device or app), per Office 365 user license.

[End of article]