back to article Microsoft gets with the times, builds two-factor authentication into Office 365

Microsoft is beefing up the security in Office 365 by offering two-factor authentication to all users of its cloud productivity service. The company said that it would enable two-factor authentication on accounts ranging from Enterprise and Midsize Business plans to academic accounts and standalone single-user subscription …

COMMENTS

This topic is closed for new posts.
  1. Thorne

    Will it stop the NSA snooping

    Probably not.....

  2. Eradicate all BB entrants

    It is good that they are adding the feature ....

    ..... but I have a number of MS office users that don't have access to a phone, landline or mobile.

    A dongle would be a lot cheaper than me having to organise a smartphone contract for each of them.

    1. dispensa

      Re: It is good that they are adding the feature ....

      You can also use iPad or iPod Touch devices or Windows Phone or Android devices without contracts (or without service) if you want to. Wi-fi is all that's needed for the out-of-band push notifications, and the OATH code generation works with no network at all once it's been activated.

      1. Eradicate all BB entrants

        Re: It is good that they are adding the feature ....

        So a £150-£700 wireless device for authentication instead of a £50 dongle?

        User loses dongle. I just log onto admin section, put in serial number of replacement dongle and the user walks away happy.

        User loses phone ..... bit more work than that involved :/

  3. 27escape
    FAIL

    Its been 2 factor for ages for me

    For some reason I need to enter the password twice every time :)

    Even though my browser remembers it!

    Stupid 365 website

  4. Gotno iShit Wantno iShit

    Great, they've put bigger, fatter and more modern locks on the front door to the vault they want me to put my files in. I've still no idea how many other doors there are on the vault and who has the keys.

    Turd polishing.

    1. Velv Silver badge
      Boffin

      It's not turd polishing, you get what you pay for.

      If you want to host your own service in house that's fine. You buy the hardware and storage, software licenses, backup capacity, resilience, support, etc. If you add up what that costs to provide anywhere near the same level of availability then cloud starts to make sense.

      Agreed there are potential security issues - nobody wants the NSA et al to be reading their data. There are ways to encrypt it in the cloud, but really, does anything you are storing need that level of security (you're not planning on blowing up a plane, are you?) And if you do need to maintain high security (FCA, DPA, etc), then you've probably already justified the cost of the hardware, storage, software licenses, backup capacity, resilience, support, etc.

      1. Richard 12 Silver badge

        He's got a point though

        Almost everything MS Office 365 does, a standalone install of an older MS Office or Open/Libre Office does just as well, if not much better.

        There's no need for any hosting at all for the vast majority of things these products are used for, namely writing documents.

        The two things you get with Office 365 that don't come with the others are automated offsite backup and automated collaboration.

        The former is needed by everyone but has a myriad of other providers and is relatively simple to set up yourself. It also requires that you trust the provider 100% because they have all your data.

        There are very few people who need the latter, and fewer still who actually use it.

        1. Anonymous Coward
          Anonymous Coward

          Re: He's got a point though

          "Open/Libre Office does just as well, if not much better."

          LOL, that's funny. I do hope you were not serious?

          If you had actually used both products you would know that whilst having working basic functionality, those alternative Office products are at least a decade behind Microsoft Office in terms of capabilities and functionality...I can't actually think of a single thing that is 'much better' or even 'better' other than the price. But then you get what you pay for....

          1. Richard 12 Silver badge

            Re: He's got a point though

            Yes, I have.

            I was comparing Office 365 with stand-alone installs, and said "almost" all.

            Libre Office doesn't have feature parity with the latest version of MS Office, but it does do everything that the vast majority of users need.

            Perhaps it is ten years behind, but what exactly have MS added in the last ten years that is important to more than a handful of users?

          2. Trevor_Pott Gold badge

            Re: He's got a point though

            "LOL, that's funny. I do hope you were not serious?

            If you had actually used both products you would know that whilst having working basic functionality, those alternative Office products are at least a decade behind Microsoft Office in terms of capabilities and functionality...I can't actually think of a single thing that is 'much better' or even 'better' other than the price. But then you get what you pay for...."

            I can't think of a single thing that I need in an office package which Office 2003 or LibreOffice don't provide. What is in Office 2013 that I might require? A terrible UI and a distracting set of animations that introduce latency?

            Come on now, marketdroid, quick to the button with features I actually care about and would use. I write things for a living, so do your job and convince me that I need to update the tools underpinning my livelihood. This should be an easy sell...shouldn't it?

      2. Pascal Monett Silver badge

        Re: "but really, does anything you are storing need that level of security"

        Sorry but that question is out of touch with reality.

        The Cloud (tm) is being marketed as "the perfect solution" for data hosting, targeted towards companies. As such, client lists, contracts, payroll information and even production data can be considered sensitive information.

        Last I looked, I didn't see companies posting either their full client list nor their payroll on the web.

        Since The Cloud (tm) is supposed to offer hosting services for company data, then yes, it should also include encryption and secure access by default. Saying that companies should host their own data if they have sensitive information is not serious given the way The Cloud (tm) is being marketed.

      3. Trevor_Pott Gold badge

        "If you want to host your own service in house that's fine. You buy the hardware and storage, software licenses, backup capacity, resilience, support, etc. If you add up what that costs to provide anywhere near the same level of availability then cloud starts to make sense."

        I do the math on different cloud offerings at least twice a day as part of my job. I have yet to see a single one of them that offers a better TCO over the standard 6-year replacement cycle of an SME. In fact, most don't come out cheaper even against the mythical 3-year replacement cycles touted to be de rigeur amongst those with too much cash to splash.

        We'll not even talk about the growing number of individuals and businesses that cheerfully go 10 years between refreshes. It's obvious by now that cloud vendors don't even consider those folks "people".

        The cloud isn't cheaper. It is sometimes more convenient. The tradeoff (apart from the increased cost) is that the cloud has a nasty tendency to put the ruinous power in the hands of those with Dunning-Kruger syndrome. Have fun with that all.

        1. Anonymous Coward
          Anonymous Coward

          "I do the math on different cloud offerings at least twice a day as part of my job. I have yet to see a single one of them that offers a better TCO over the standard 6-year replacement cycle of an SME"

          Firstly, it's 'maths' - and secondly you apparently need a new calculator. When you add up staff, license, datacentre and infrastructure costs of Office, Exchange, SharePoint and Lync and look at TCO, it's always cheaper for SMEs to move to Office 365. For very large and cutting edge efficient installs in big enterprises, it might be more marginal, but I have yet to see a business case where it isn't cheaper. (I have worked for resellers looking at tens to tens of thousands of seats...)

          1. Trevor_Pott Gold badge

            "When you add up staff, license, datacentre and infrastructure costs of Office, Exchange, SharePoint and Lync and look at TCO, it's always cheaper for SMEs to move to Office 365."

            Bullshit. I run these numbers regularly, and you are absolutely, utterly and completely incorrect. You also presume that an SME would want all the features listed, which I find rarely the case. Sharepoint - as just one example - is not exactly well-loved. You are spouting nothing but lies and propaganda.

            Very on message though, I'll give you that.

  5. ElNumbre
    FAIL

    2FO

    I don't mind 2FA when its relatively seamless like the Google Authenticator offering, especially as lots of websites now use this as an option, and the codes can be generated within a single app for these multiple sites.

    I hope the 365 2FA works better than the two-phase authentication on the Xbox 360 platform which won't send me a text message to my UK mobile number (well, it apparently does, but disappears into the ether). I can cancel out of it, but every time I start the Xbox, install the latest patches, reboot, install the game updates and log into Live, I have to bin off several messages before it lets me log into the account.

    I don't play Xbox much anymore.

    1. dispensa

      Re: 2FO

      If you want to use just the mobile app (Windows Phone/Android/iOS) and have it generate an OATH code every 60 seconds, that should be about the same experience. The out-of-band options are more secure, and are available in the same apps, if you have your device connected to data (wi-fi or cellular).

    2. Anonymous Coward
      Anonymous Coward

      Re: 2FO

      Your number is almost certainly set incorrectly. It doesnt fully validate that the country code is correct, leading zero is removed, etc.

  6. Anonymous Coward
    Anonymous Coward

    It's rapidly getting so that you can't do anything without a phone

    I see a new future ahead of us.

    What happens when you lose / forget your phone or its battery is dead?

    * Can't use online services

    * Can't work if your documents are all online

    * Can't buy a new phone online

    and above all else you can't change your 2FA phone number if the existing number isn't functioning

    1. hplasm Silver badge
      Facepalm

      Re: It's rapidly getting so that you can't do anything without a phone

      If vendor lock-in is your thing.

      Diversity is good.

  7. Snik

    Personally, I think you'd have to be crazy to trust cloud computing.

  8. John Crisp

    I'm fed up with being asked for my number. More data mining, and spyware on your phone. It's private.

    I've had online accounts for junkmail (why on earth would you leave your data with them ?) for donkeys years and never been hacked - a half decent password helps I guess. Providers should enforce much stricter passwords for starters.

    Ironically a friend enabled 2FA and due to a flaw in hotmail/outlook they are now permanently locked out, despite comprehensive proof the account is theirs.

    So good luck to all you early adopters :-)

  9. Anonymous Coward
    Anonymous Coward

    Does it need to be 'always on' 2FA ?

    I like 2FA, and the Authenticator app works well enough.

    But 2FA is a pain to use *every* time. Especially in a work environment.

    Can I configure this to:

    * Use Single Sign On from a corporate PC (ie: Active Directoty domain joined, on our trusted corporate network).

    * Use 2FA in all other cases (such as working from home on my private PC)?

    No, I don't have Office 365, so I can't simply go and have a look.

    Ideally, this would be some kind of policy setting. 'Oh, I see you're connecting from a domain I trust - come straight in, no need for any login forms or 2FA' and elsewhere 'I can't see those things, I'm going to ask for 2FA'.

    I can imaging our users complaining if we applied 2FA just to open a word document while sitting in the corporate office, at a domain-joined PC they're *already* logged in to.

    1. dispensa

      Re: Does it need to be 'always on' 2FA ?

      We have heard the request loudly for an option to bypass 2FA from a corporate PC at the office.

      For what it's worth, the on-premises MFA Server software supports this today if you use Office 365 in federated authentication mode to ADFS. This scenario is supported most easily in ADFS v3 (available in Windows Server 2012 R2), but is also possible with older versions of ADFS depending on your deployment.

      1. Trevor_Pott Gold badge

        Re: Does it need to be 'always on' 2FA ?

        Um, the whole point of cloud computing is so that I don't have to have all this jigger-poo at the office. I run a company where all my employees work from home. They have personal PCs and VMs at home which they use all the time for logging on to things, and there is no reason they should need 2FA to log in. Passwords go into lastpass and that's that.

        There is no domain to speak of. Collaboration and so forth is handled by the marvels of Teamviewer and Teamdrive. Host your own damned storage and the NSA can go straight to the special hell.

        Anything that isn't one of those systems should require 2FA. Can't you integrate with lastpass so that a system that's logging in using lastpass can bypass 2FA? Or write a browser plugin that identifies a given system such that it can be "registered" with Office 365 and not need 2FA?

        I can do this elsewhere. I kinda thought Microsoft would be ahead of the curve. :(

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019