Microsoft gets with the times, builds two-factor authentication into Office 365 Microsoft is beefing up the security in Office 365 by offering two-factor authentication to all users of its cloud productivity service. The company said that it would enable two-factor authentication on accounts ranging from Enterprise and Midsize Business plans to academic accounts and standalone single-user subscription …
You can also use iPad or iPod Touch devices or Windows Phone or Android devices without contracts (or without service) if you want to. Wi-fi is all that's needed for the out-of-band push notifications, and the OATH code generation works with no network at all once it's been activated.
So a £150-£700 wireless device for authentication instead of a £50 dongle?
User loses dongle. I just log onto admin section, put in serial number of replacement dongle and the user walks away happy.
User loses phone ..... bit more work than that involved :/
It's not turd polishing, you get what you pay for.
If you want to host your own service in house that's fine. You buy the hardware and storage, software licenses, backup capacity, resilience, support, etc. If you add up what that costs to provide anywhere near the same level of availability then cloud starts to make sense.
Agreed there are potential security issues - nobody wants the NSA et al to be reading their data. There are ways to encrypt it in the cloud, but really, does anything you are storing need that level of security (you're not planning on blowing up a plane, are you?) And if you do need to maintain high security (FCA, DPA, etc), then you've probably already justified the cost of the hardware, storage, software licenses, backup capacity, resilience, support, etc.
Almost everything MS Office 365 does, a standalone install of an older MS Office or Open/Libre Office does just as well, if not much better.
There's no need for any hosting at all for the vast majority of things these products are used for, namely writing documents.
The two things you get with Office 365 that don't come with the others are automated offsite backup and automated collaboration.
The former is needed by everyone but has a myriad of other providers and is relatively simple to set up yourself. It also requires that you trust the provider 100% because they have all your data.
There are very few people who need the latter, and fewer still who actually use it.
"Open/Libre Office does just as well, if not much better."
LOL, that's funny. I do hope you were not serious?
If you had actually used both products you would know that whilst having working basic functionality, those alternative Office products are at least a decade behind Microsoft Office in terms of capabilities and functionality...I can't actually think of a single thing that is 'much better' or even 'better' other than the price. But then you get what you pay for....
Yes, I have.
I was comparing Office 365 with stand-alone installs, and said "almost" all.
Libre Office doesn't have feature parity with the latest version of MS Office, but it does do everything that the vast majority of users need.
Perhaps it is ten years behind, but what exactly have MS added in the last ten years that is important to more than a handful of users?
"LOL, that's funny. I do hope you were not serious?
If you had actually used both products you would know that whilst having working basic functionality, those alternative Office products are at least a decade behind Microsoft Office in terms of capabilities and functionality...I can't actually think of a single thing that is 'much better' or even 'better' other than the price. But then you get what you pay for...."
I can't think of a single thing that I need in an office package which Office 2003 or LibreOffice don't provide. What is in Office 2013 that I might require? A terrible UI and a distracting set of animations that introduce latency?
Come on now, marketdroid, quick to the button with features I actually care about and would use. I write things for a living, so do your job and convince me that I need to update the tools underpinning my livelihood. This should be an easy sell...shouldn't it?
Sorry but that question is out of touch with reality.
The Cloud (tm) is being marketed as "the perfect solution" for data hosting, targeted towards companies. As such, client lists, contracts, payroll information and even production data can be considered sensitive information.
Last I looked, I didn't see companies posting either their full client list nor their payroll on the web.
Since The Cloud (tm) is supposed to offer hosting services for company data, then yes, it should also include encryption and secure access by default. Saying that companies should host their own data if they have sensitive information is not serious given the way The Cloud (tm) is being marketed.
"If you want to host your own service in house that's fine. You buy the hardware and storage, software licenses, backup capacity, resilience, support, etc. If you add up what that costs to provide anywhere near the same level of availability then cloud starts to make sense."
I do the math on different cloud offerings at least twice a day as part of my job. I have yet to see a single one of them that offers a better TCO over the standard 6-year replacement cycle of an SME. In fact, most don't come out cheaper even against the mythical 3-year replacement cycles touted to be de rigeur amongst those with too much cash to splash.
We'll not even talk about the growing number of individuals and businesses that cheerfully go 10 years between refreshes. It's obvious by now that cloud vendors don't even consider those folks "people".
The cloud isn't cheaper. It is sometimes more convenient. The tradeoff (apart from the increased cost) is that the cloud has a nasty tendency to put the ruinous power in the hands of those with Dunning-Kruger syndrome. Have fun with that all.
"I do the math on different cloud offerings at least twice a day as part of my job. I have yet to see a single one of them that offers a better TCO over the standard 6-year replacement cycle of an SME"
Firstly, it's 'maths' - and secondly you apparently need a new calculator. When you add up staff, license, datacentre and infrastructure costs of Office, Exchange, SharePoint and Lync and look at TCO, it's always cheaper for SMEs to move to Office 365. For very large and cutting edge efficient installs in big enterprises, it might be more marginal, but I have yet to see a business case where it isn't cheaper. (I have worked for resellers looking at tens to tens of thousands of seats...)
"When you add up staff, license, datacentre and infrastructure costs of Office, Exchange, SharePoint and Lync and look at TCO, it's always cheaper for SMEs to move to Office 365."
Bullshit. I run these numbers regularly, and you are absolutely, utterly and completely incorrect. You also presume that an SME would want all the features listed, which I find rarely the case. Sharepoint - as just one example - is not exactly well-loved. You are spouting nothing but lies and propaganda.
Very on message though, I'll give you that.
I don't mind 2FA when its relatively seamless like the Google Authenticator offering, especially as lots of websites now use this as an option, and the codes can be generated within a single app for these multiple sites.
I hope the 365 2FA works better than the two-phase authentication on the Xbox 360 platform which won't send me a text message to my UK mobile number (well, it apparently does, but disappears into the ether). I can cancel out of it, but every time I start the Xbox, install the latest patches, reboot, install the game updates and log into Live, I have to bin off several messages before it lets me log into the account.
I don't play Xbox much anymore.
If you want to use just the mobile app (Windows Phone/Android/iOS) and have it generate an OATH code every 60 seconds, that should be about the same experience. The out-of-band options are more secure, and are available in the same apps, if you have your device connected to data (wi-fi or cellular).
I see a new future ahead of us.
What happens when you lose / forget your phone or its battery is dead?
* Can't use online services
* Can't work if your documents are all online
* Can't buy a new phone online
and above all else you can't change your 2FA phone number if the existing number isn't functioning
I'm fed up with being asked for my number. More data mining, and spyware on your phone. It's private.
I've had online accounts for junkmail (why on earth would you leave your data with them ?) for donkeys years and never been hacked - a half decent password helps I guess. Providers should enforce much stricter passwords for starters.
Ironically a friend enabled 2FA and due to a flaw in hotmail/outlook they are now permanently locked out, despite comprehensive proof the account is theirs.
So good luck to all you early adopters :-)
I like 2FA, and the Authenticator app works well enough.
But 2FA is a pain to use *every* time. Especially in a work environment.
Can I configure this to:
* Use Single Sign On from a corporate PC (ie: Active Directoty domain joined, on our trusted corporate network).
* Use 2FA in all other cases (such as working from home on my private PC)?
No, I don't have Office 365, so I can't simply go and have a look.
Ideally, this would be some kind of policy setting. 'Oh, I see you're connecting from a domain I trust - come straight in, no need for any login forms or 2FA' and elsewhere 'I can't see those things, I'm going to ask for 2FA'.
I can imaging our users complaining if we applied 2FA just to open a word document while sitting in the corporate office, at a domain-joined PC they're *already* logged in to.
We have heard the request loudly for an option to bypass 2FA from a corporate PC at the office.
For what it's worth, the on-premises MFA Server software supports this today if you use Office 365 in federated authentication mode to ADFS. This scenario is supported most easily in ADFS v3 (available in Windows Server 2012 R2), but is also possible with older versions of ADFS depending on your deployment.
Um, the whole point of cloud computing is so that I don't have to have all this jigger-poo at the office. I run a company where all my employees work from home. They have personal PCs and VMs at home which they use all the time for logging on to things, and there is no reason they should need 2FA to log in. Passwords go into lastpass and that's that.
There is no domain to speak of. Collaboration and so forth is handled by the marvels of Teamviewer and Teamdrive. Host your own damned storage and the NSA can go straight to the special hell.
Anything that isn't one of those systems should require 2FA. Can't you integrate with lastpass so that a system that's logging in using lastpass can bypass 2FA? Or write a browser plugin that identifies a given system such that it can be "registered" with Office 365 and not need 2FA?
I can do this elsewhere. I kinda thought Microsoft would be ahead of the curve. :(
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
