Turning on Two Factor (Step) Authentication for Outlook.com - some practical experinces

Having just gone through the process of turning on Two factor (step) authentication (2FA) for one individual for Microsoft Outlook.com (and hence the services associated with the Microsoft login) these are some observations and comments on practicalities and implications which some may find useful. It is not intended as a guide to basic process that has already being covered in detail by many others. 

If you are not going to read detail below just take one concept away. Turning on 2FA and getting it sorted on all your apps on all physical devices is not a 5 minute job like changing a password, although it is not very complicated. Allow time and plan what will need to be done.

2FA is increasingly being encouraged as something all users should adopt as standard to improve security with good reason. It is about the two factors - something you know and something you have. It is also sold as being very easy and in principle is but the need for understanding of what is happening and the potential on-going use may well be relatively small but is not insignificant for the 95% of users who are non-technical. This is particularly true in guidance with use of the term "trusted device" which may not equate to how many non-technical users may use this term. It should also be noted that different organisations implement 2AF in slightly different ways.

In the example the user already had a very strong "main" password for Outlook.com (this was not changed during this process) but wished to turn on 2FA for a system that consisted of various devices:

• iMac desktop using Apple Mail, Safari and Chrome, OneDrive
• MacBook Pro using Airmail, Safari and Chrome, OneDrive
• iPad using iOS Mail, Safari and Chrome, OneDrive
• Android (4.4.) smartphone using Chrome, Outlook.com app, OneDrive

These devices seem representative of many a user's situation

• After logging into Microsoft account on the web and turning on 2FA in the Password and more security section of the account settings there are a number of choices that need to be made. The main one is how you are going to get a 6 digit authentication code when required. This code can be sent from Microsoft by text to a mobile phone but if you were in a location of no signal this would not work and the best option seems to install an authenticator application on the smartphone which once setup correctly will generate the code for you without any phone signal.
• Microsoft seems to default to suggesting installing the Microsoft authenticator but there are other options and the most widely used is Google Authenticator (GA). This simple app generates a 6-digit code every 20 seconds once installed and connected to an account. You can download and install Google Authenticator for iOS or Android before you enable 2FA at Microsoft and then when choosing authenticator application choose other device and this will show a QR barcode on screen. To link the Microsoft account to the Google Authenticator on that smartphone just use Google Authenticator to scan the QR code (from the screen works) and this will set it up for that account. Other accounts e.g. Gmail can be added into same app later.
• In theory people have described it is possible to have Google Authenticator on two devices e.g. iPad and Smartphone with the same account linked but it seems not easy and they have to be linked from the same QR code at the same time ( as once QR code not displayed on screen you cannot get the same one back). I am not sure there is much advantage as if the phone is stolen or lost all authenticator apps have to be revoked, you cannot specify one device to revoke.
• Most versions of 2FA describe how if a device is frequently used when authenticating it with a code on first occasion it can be marked as "trusted" or a frequently login to this device. There are a few important aspects to understand about this and avoid potential confusion.

1. Most would think of a device as being an iPad, iMac desktop etc. i.e. a physical device and once authenticated everything (browsers, apps) on that physical device would be trusted- this is NOT the case.
2. It may be better to think of the device as an application e.g. a browser and this means that in case of having both Safari and Chrome browsers if you login to Outlook.com with Safari and validate it with a code and mark it as trusted when you login to Oultook.com with Chrome you will have to validate that browser separately as well. This may relate to cookies and if these are cleared the browser will have to be revalidated.
3. Most systems have time outs for their trusted "devices" e.g. 90 days and this means that if you do not login to web interface of Microsoft with Chrome it will become untrusted and you will have to enter a GA code even if in that time you have logged in with e.g. Apple Mail or with the Safari browser. This only adds one step and in is not a major issue but does mean you need to have the GA app on the smartphone handy. However this is the same situation as if you were logging in from another non-trusted computer.
4. Even if a “device” is trusted from within a browser this does not pass on to applications on same “physical device” regardless whether they support 2FA (e.g. OneDrive) or not. On the iMac, MacBook, Smartphone and iPad all the browsers (7 instances) had to be trusted independently using a GA code. Even after that OneDrive on same physical device which supports 2FA had to be trusted separately with GA code. This only worked by closing OneDrive and reopening it and it did not just accept it but forced me to choose again my local OneDrive folder. As OneDrive starts at each login it will presumably not timeout but it looks as though if I did not logon to a computer within 90 days and have OneDrive login then I would have to revalidate again and may have to choose my OneDrive folder again etc.

• Not only is “trusted device” located at the application level e.g. Safari and OneDrive on the MacBook with each having seemingly its own time out (only time will tell) but the majority of applications e.g. Apple Mail, Airmail etc. do NOT support 2FA directly and this means that these will need to use “ an application specific password”.
• Application specific password are easily generated after logging in to the Microsoft account settings Password Security section and choosing new application password. This 16 digit code can be used for an application such as Apple Mail or Airmail on the Macs or Mail app on iPad. However each app requires its own password, each password can only be used for one application on one physical device. This means even for the same Outlook.com account in Apple Mail on the iMac and MacBook it will require different passwords. However an Outlook.com account in Apple Mail on one physical device e.g. iMac will require the same application specific password for both the IMAP incoming server and SMTP outgoing server (the latter is not obvious in Apple Mail > SMTP dropdown> Edit Advanced). It has been suggested that on Apple OSX devices using iCloud that it may need to be entered in a third not obvious place – the iCloud account settings for the account using Contacts – something not yet explored as this user did not use the Outlook.com contact facilities.
• Once you have created the application specific password in Microsoft accounts and you click “Done” it disappears off screen and there is no way to get it back; it is still valid. If you think you are going to have to enter it elsewhere as described in the iCloud example above make a temporary note of it somewhere. You cannot revoke a single application specific password you can only revoke all application specific from the Microsoft account settings and this would mean all applications setup on all physical devices would have to be reconfigured with new passwords; a significant piece of work. However in the above Apple Mail example, if you have not made a note and find you do need to enter it in a third place, you could generate a new application password and then re-enter it in the appropriate all the appropriate fields (incoming and outgoing) and this time in the third place  
• The good news about application specific passwords is they do not expire in same way that trusted devices do.
• The Android Outlook.com app was not as straightforward as I would have expected, given that it is a Microsoft app to only support a Microsoft service. The app does not seem to have 2FA built in (surprisingly) which means it needs an application specific password – just like Apple apps. The instructions on the Microsoft help on 2FA describe opening it, choosing settings and then server and adjusting the user passwords. I could find no way t access serve settings for the Outlook.com app and as such could not get to anywhere to adjust password. It did ask for a password at one point in a pop up but no indication of what was required a GA 6 digit code for 2FA or a password and when an incorrect code was entered and no further options appeared. In the end I deleted the whole app, reinstalled on phone and reconfigured with a new app specific password.  This did mean that all the email settings needed setting up as before (email to sync in time and size, signatures,, folders to sync) and then all email had to sync. Others may not have had problems but be aware that all may not be smooth or it may go smoothly if you enter an app specific password (not GA code) when first asked after turning on 2FA

So in summary 2FA is worth turning on but you need to allocate appropriate time to do this – it is not just like changing a single password. It certainly is not as simple as “just turning on 2FA” as some writers imply. The terminology may be somewhat misleading (e.g what is meant by a device) and the majority of applications do not have 2FA built in and will need application specific passwords and you need to understand how these work. There are other methods such as USB hardware keys to implement 2FA but as yet are certainly not main stream for the general population. It is disappointing that more applications do not have 2FA built in but it may be that biometrics such as on Apple iOS devices may aid ease of use for the non technical average user.