For a while now, certain corners have been questioning the solidity of the Office 365 identity approach given its single-factor nature.
Most of you familiar with the concept of multi-factor authentication may have even seen or used two-factor where something you are (username, password) is coupled to something you have (token, widget, gadget) to provide additional security through enhanced assurance of the identity of the person logging into the system. Corporate VPNs, Internet banking and access control systems are common applications of two-factor authentication.
Nearly all SaaS offerings are single-factor ostensibly because it is hard to provide multi-factor authentication to individuals without providing them with something physical (the “widget”) making it expensive, logistically complex and (did I say it?) expensive to offer multi-factor methods.
Software two-factor has been around for a while (RSA has smartphone widgets and others have similar ideas) but has never really taken off due to concerns over how it could be compromised.
Microsoft have come up with some innovative(ish) ideas for how to handle multi-factor for Office 365, largely based around the idea of using a telephone (cellular or fixed) to act as the something you have part of the authentication process.
Once you have completed the first part of the authentication process (username, password) the system will dial a nominated phone number (defined by you and stored as part of your profile) and wait for you to pick up and push the hash (pound) key or send a notification to a smartphone app providing you with a six digit code to enter into the login portal.
The full list of current options are:
- Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
- Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
- Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
- Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
- Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.
(photo and list from http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/)
For 1st world business users, this approach works nicely. An overwhelming majority will have cell phones or landlines available to them.
How do we make this work in less developed territories or in markets such as education where individual telephones are less prevalent?
I guess the boffins in Redmond will be working on this.
Don’t get me wrong. It’s a step forward, and I like it, but making the assumption that the user has access to a phone is flawed.
You can find more info at the Office 365 blog .
more to follow…