Tuesday, February 24, 2015

Microsoft Multi-Authentication Has Improved

And you should be activating it

As more of our life goes online, we expose ourselves to more and more risk of compromised accounts. More people are placing their eggs in a basket in the cloud in hopes of better disaster recovery and better accessibility. As a result information that we once would have kept only on our own PC is now becoming accessible to anyone if they get the "keys to the kingdom" - our password.

Microsoft's multi-authentication (hereafter referred to as Multi-Auth) is designed to make this a less likely occurrence. The idea is that you set your account up so that in order to access the account via the web, or an application - the sign-on has to be approved by you on a separate device. Once you sign on once - the approval can be remembered - or you can tell it to forget that approval and once you sign off a new approval needs to be generated to let someone back in. This allows you to more safely access your account from a variety of places.

In order to do this you need one of the following secondary authentication methods:
  • A smartphone with a multi-auth application on it
  • A phone of any kind that can accept text messages
By far the easiest is the Multi-Auth app. Microsoft has a different solution for multi-auth on private live accounts (like for Hotmail and Xbox) and for business accounts (like Office365 and Azure). While there are two different apps - they work the same. You can set them up in 2 modes - in one mode you simply need to approve access by hitting Verify. When you go to login a code will display on the screen that should match the code in the verification. The other mode displays a constantly changing number (every minute or so a new number is generated). You type the multi-auth code into the browser when logging in. I prefer the "verify" method because it actually messages my phone if someone tries to login to my account. I like getting this notification and I like not having to type extra characters. The other method is marginally more secure.

If you don't have a smartphone or you don't want to install the app, you can instead have Microsoft text you a message with a code you'll need to type into the browser to log in.
In order to use Multi-Auth, my recommendation is that you take a further step - make sure your phone is loaded with activated software that lets you wipe it remotely. That way if someone gets ahold of your phone and figures out your lock screen password you can still wipe the phone and prevent access to your account. Be sure that you also have a "back door" to allow you into your account if your phone is lost. In most cases when you turn on multi-auth the system will provide you with a secondary password to access your account. Make sure to save that in a safe place.
Now multi-auth does have it's drawbacks. Some apps won't support it. In the "Live" version of multi-auth (the one used with OneDrive, Xbox, and Hotmail) xbox365, Microsoft's online account settings, and other capabilities don't support multi-auth (though that number is shrinking as things are re-factored). So you have to create a one-time password to be used just with that app. Generally this will be a long string of characters which you type in instead of your normal password. You can deactivate one-time passwords individually, thus if somehow one of your accounts is compromised, the device is stolen, or you just don't need it any more you can deactivate that one time password. This involves extra steps - you need to go to your account on a web page, generate the (usually long) one time password, then type it into the add-on app or device. The question is though - would you rather go through a little extra work on initial setup? Or would you rather deal with the potentially bad consequences of someone compromising your password?

It's also not perfect. In recent months it's gotten better, but in some cases on some apps I've had to re-generate and re-enter one-time passwords (you can't look them up again once you've generated them, unless you keep them in a document offline - which I do not recommend). When moving from one phone to another you have to re-connect to a new version of the multi-auth app (a pain but only takes a few minutes of setup time).
Many other mail and authentication systems are going to multi-auth including gmail and even the
king of being compromised - yahoo. My recommendation is to investigate multi-auth and if you feel comfortable with the steps involved consider activating it on all critical accounts that are linked to cloud mail or files.