O365 MultiFactor Authentication in depth–Part 2–how it works inside O365

In my last post I outlined the basics of multifactor authentication and also discussed the method that Office365 uses to implement it.  In this post I will describe how it actually works.

O365 multifactor authentication can be enabled user-by-user within O365 by your O365 admin.  Once your account has been enabled for mutlifactor authentication the following things will happen:


Clicking on the Set it up now button causes the following series of screens to be displayed:


Note that you can select the type of contact method, I want an SMS message.


And when I click verify now … I received an SMS message with a code that I have to enter on the following screen:


Then I click verify



This is an important step.  The multifactor authentication process does not work directly with LOCAL apps like Outlook or your Lync client even if those apps are connected to your O365 account.  The “app password” referenced above is the “link” between the multifactor authentication backend in O365 and your application.  Think of it as a “super password” that you provide your app in order for it to continue to connect to O365.  The app password is generated by O365 and you plug it into your apps in place of your “normal” password.


I have obscured part of the app password but you get the drift, it is quite long and totally unique.  The help links provide you with details about how to plug in the app password to your apps and you can set up more than one app password, if you want, to use with differing apps.  I chose to stick with one for now.

Clicking done completes the process.

From this point forward whenever I login to O365 the following process takes place:


Note that I am signing in with my login and password, nothing different at this point.


Ah ha!  Multifactor authentication has kicked in and is asking me for the verification code that has been sent to my phone which I enter (it is one time use, by the way).


Now I click Sign In, the wheels spin for a bit and I’m in!  Multifactor authentication has confirmed my identity and granted me access to the system.

This process works because it is assumed that you are in sole possession of your O365 login and password and that you are also in sole possession of your smartphone (which you have secured with a lockscreen password, of course!).  Obviously, if another person knows your O365 login and password as well as has possession of your phone (and the PIN for the lockscreen) then that person can gain access to O365 as you.  It is vitally important that you do NOT share your O365 login and password (why would you???) and you should secure your phone. The verification code that is sent to your phone is only valid for a single use and it is time sensitive, it does not last “forever” whether or not it is actually used.  Therefore, someone might be able to see the code when you get it but they cannot use it down the road to try and gain access to O365 as you; once the code is entered on the login screen it is “thrown” away.

There are other safeguards built in to the backend of the system that I won’t detail here.  If you follow the basics as detailed in the previous paragraph then security of your O365 account will be maintained.

I think it is a great system and I appreciate the extra layer of security that multifactor authentication provides.  I urge you to try it out with your O365 account.