For this week’s blog post, we wanted to talk about Office 365 and the recent Two Factor authentication issue. In a previous blog entry, we talked about passwords and at the end we eluded to something called Two Factor Authentication (2FA). Essentially earlier this week we saw users in Australia, the US and Europe (that had 2FA enabled) unable to log in to any O365 or Azure service. It saw users unable to access email or any O365 service for almost 24 hours in some cases. Not a great way to start the week. It appears even Microsoft sometimes have a bad case of the Mondays!
Some of you will know what 2FA is from using it with services such as O365, Facebook or even with your Apple or Android Devices. Some will be asking, what is 2FA? And If Microsoft had an issue with it, why would I want to enable it?
So, what is 2FA? 2FA is a method of confirming a user’s identity by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
The most common example of this is a password (something you know), and a dynamically generated token provided by an app on your phone (something you have).
The password does not change very regularly but the token is generated every 30 seconds. To access a service with 2FA you need to know the password and have access to the token that has just been generated. This makes the service more secure because even if for some reason your password was released and known to other people, they still would not be able to log in to your account without the token.
The Why would I want 2FA? becomes obvious. Its super secure. Having just one of the factors is not enough to access the service and with cloud services being accessed from anywhere in the world the requirement for this becomes very attractive.
Many services are pushing users to enable 2FA and some are now not giving you the choice. You MUST set up 2FA if you want to use them (take Xero for example).
In conclusion, yes a big mistake was made by Microsoft. An Update to their systems caused an unexpected issue which took some time to resolve. Should that have occurred? No, but overall 2FA is still one of the best ways to increase the security of services that contain a lot of personal and professional information. This outage was an inconvenience. It is also a rare occurrence. We have to take the good with the bad.
If you are interested in finding out about 2FA for your O365 or other services, please get in contact with us.
PS for those who are interested in what the 3rd factor could be (ie something you are) its… Biometrics! This includes fingerprint, face, voice, or iris recognition.