Some secrets are too important to be protected only by a password.

The problem with passwords is that they are too easily stolen, guessed, or phished. A bad guy who acquires your username and password can use those credentials to impersonate you at the associated service, with potentially disastrous results.

Your organization can’t afford to make passwords the only barrier protecting your business files and email from outside attackers. You need an additional layer of security called multi-factor authentication. It works by requiring at least two forms of authentication, from any combination of the following elements:

  • “Something you know,” such as a password or PIN
  • “Something you are,” such as a fingerprint or other biometric ID
  • “Something you have,” such as a trusted smartphone that can generate or receive confirmation codes

Modern, business-grade online services allow you to add a second form of authentication to user accounts, a configuration often referred to as two-factor authentication (2FA). The classic 2FA example is a bank ATM card, which is secured by a second factor in the form of a numeric PIN. If your ATM card is stolen, it’s useless because the thief doesn’t have your PIN. And a stolen or phished PIN is useless unless the thief can also swipe the magnetic strip on your physical card.

Enterprise editions of Office 365 include the capability to add 2FA to any user account. (This Office blog post explains how the feature works, with a full deployment guide available here.) After you configure a user account to require 2FA, the user enters his or her username and password as usual when visiting But after successfully passing that challenge, the prompt shown in Figure A appears.

Figure A

In this example, Office 365 is configured to send the verification code as a text message to the mobile phone number associated with the user account (there’s that “something you have”). A thief may have your user’s password, but he doesn’t have the phone associated with that device, so he can’t type in the randomly generated numeric code that was sent to that trusted device. And he doesn’t have much time to work, either, because the code expires a minute or so after it’s sent.

The trouble with verification options that rely on text (SMS) messages is that you can’t always count on receiving those messages when you need them. If you’ve got a high-speed network connection at your hotel or remote office but your handset reads “No Service,” you’re out of luck.

The solution is to use an alternate verification option, drawn from the list shown in Figure B.

Figure B

The first choice on that list will work even if you are unable to receive a text message or a code delivered by a robotic voice to your voice line. It assumes that you’ve installed the Azure Multi-Factor Authentication app, which is available for iOS devices (iPhone and iPad), by way of the App Store; Android devices, via the Google Play store; and Windows Phone.

Because Office 365 is built on Microsoft Azure, you can use this app to generate confirmation codes based on your secret key and the current date and time. It doesn’t matter whether your phone has an active data connection. If you can open the app, you can retrieve a code that will act as a valid second authentication factor.

Figure C shows what the app looks like on an Android smartphone.

Figure C

If you have more than one account set up, you’ll see separate codes for each account. Each code is good for 30 seconds, with the progress bar at the top of the app showing how long until the next code is generated.

When you see the prompt in your web browser to enter the verification code, type in the current value from the app, and you’ll gain access to Office 365.

It’s worth noting that 2FA protects your account from unauthorized access. It doesn’t protect individual files or messages.

To set up 2FA on an Office 365, you need to sign in as an administrator, visit the Office 365 Admin Center, and click Users | Active Users. In the Active Users Dashboard, click the option in Figure D to begin the setup process. This step will take you to a list of active users, where you can select one or more accounts and then enable or disable 2FA.

Figure D

After that setup is complete, each user is prompted to set up the additional security verification steps. If you choose the option to set up the smartphone app, install it on your device first. Then, during setup, use the QR code on the screen to configure the app for secure use (Figure E).

Figure E

As a user, you can change your 2FA settings any time. You can, for example, change the default behavior so that the app displays a confirmation prompt you can tap to approve. You can also add an alternate mobile phone to your settings.

To access these settings, sign in to Office 365, click or tap the gear icon in the upper-right corner, choose Office 365 Settings, and then choose Additional Security Verification. You need to choose Update My Phone Numbers Used For Account Security to see all available options.

One final, important note about using Office 365 with Office 2FA. Turning on this extra level of security means your Office 365 account credentials will no longer work in mail apps on your phone or PC, including Microsoft Outlook and Lync. You’ll need to generate a separate app password for each such device and enter it as part of initial setup. The App Passwords control panel is on a separate tab, next to the Additional Security Verification options.

When you sign in to an account for the first time on a device, you can designate that device as trusted (“Don’t ask me for a code on this device again”). That eliminates the annoyance factor on devices you use regularly.

If you think a device has been stolen or compromised, you can go online and delete the list of trusted devices so that you have to repeat the verification for each one. Again, because this is a single step it’s only a hassle one time per device. If you are logging in on an untrusted device (a borrowed computer, let’s say) you obviously don’t allow it to be on your list of trusted devices.