We’re a little more than a month into turning on Office 365 Multi-Factor Authentication (MFA) for everyone at CloudStrategies. My aim here is to share some thoughts and observations around the experience of using the technology across all my various devices. Is MFA a great way to secure our Office 365 tenant or a productivity buzz-kill? Within the first few days – I would have said a definite yes to both those questions. After a little more time using it every day, I still believe in the security benefits, but have warmed up enough to feel a little less productivity challenged. More than that, I feel comfortable that I’m taking reasonable and prudent measures to protect access to our systems and data while leveraging the investments we’ve already made in Office 365.
So – let’s start with level setting on what MFA is, and why I believe more and more businesses are going to deploy it sooner than later. Frequently referred to as 2-factor authentication, MFA is technology that requires that a user not only have a username and password to access technology platforms, but instead also prove that they possess something as an additional level of security before accessing systems. The classic example that’s in everyone’s wallet is a debit card. The card without the pin isn’t useful, and the pin without the card doesn’t get you money from an ATM either.
Years ago I carried an RSA SecureID token that had a rotating number on a screen that I needed to have with me at all times to access corporate platforms. The geek in me thought it was cool to carry with me on my key-chain – but the user in me quickly found it difficult to have to sign-in to a VPN before I could do any work from outside the office. Though it may have been subtle, it definitely was enough of a pain that I wouldn’t bother signing in for anything other than a very specific purpose or goal – thus discouraging me from doing as much work as I otherwise might have from outside of the office.
Today, with Microsoft’s implementation of MFA for Office 365, I have a similar feeling of security as I did with my RSA ID, but yet, for my main devices and applications, I also have a sort of “fast pass” that makes the productivity hit much more manageable.
There are two core components of MFA that end users will learn to manage. The first is very much like the RSA experience – though it primarily is delivered through an App on the end users cell phone. The second is called an App Password and can be used as a one-time code for any application that needs to access an Office 365 resource on a regular basis (in the background) – such as email clients, OneNote, calendar applications, cell phones, etc. Let’s talk about the experience of each of these parts of MFA:
For the first part, any time a user needs to access any Office 365 resource through a web browser – whether on their own device – or on a public device, they will start by signing in normally with their username and password. After doing so – instead of immediately gaining access their account, they will be prompted to provide a second level of authentication. For this, there are a few choices. The one I’ve been using has been to be prompted for a 6 digit number that I can only retrieve by launching a simple app on my mobile phone. When prompted for the code, I simply pull out my phone, launch the app, and wait for it to provide me with the number. The number is continuously changing – every 30 seconds or so, so you can never predict what it is and need to type in the number within a given time period. This works exactly like my old RSA token did – perhaps with one benefit in that when I’m home I find that my phone isn’t ever very far away from me – as opposed to where I kept my keys and RSA token – so I’d need to run to the other side of the house to retrieve it.
For all non-browser based access to Office 365 applications, a user’s regular password will no longer be enough to access the system. Because applications like Outlook, Office applications, mobile phone apps, etc. do not have a mechanism to support the entry of an Authentication Code, they will instead leverage a uniquely generated “App Password”. Office 365 can generate up to 40 unique 16 digit App Passwords that can be used for individual applications or devices. App Passwords, once generated, can never be displayed a second time. They are entered and stored in individual applications on a per device basis and once entered, applications function normally – without the need for a MFA Authentication Code. The security strength of App Passwords comes from the fact that they can be deleted at any time. The productivity benefit of an App Password comes from the fact that once entered, those applications no longer need to have a password entered for recurring access to Office 365. In the event of a breach, and once an App Password is deleted from the Office 365 console, any apps that have stored that password will no longer be able to access Office 365. Think about a scenario where a device is lost or stolen – a simple action of deleting the App Password will nullify that devices ability to provide any access to anything that shouldn’t be accessed.
Security in our lives always comes at a cost – frequently restricting access or limiting our capabilities. Microsoft’s Office 365 MFA solution provides an increased level of protection with a reasonable approach to securing systems and data. Any productivity hit is likely short lived for most users and the comfort that businesses can receive knowing that users data won’t be easily be compromised through the loss of a device or the inadvertent compromise of an individual’s password.
Especially now as Lync officially becomes Skype for Business many people are wondering what the difference is between Skype for Business and… Skype NOT for business!
In the beginning….
It may help to start by remembering that, when it was introduced, Lync was originally called the Microsoft Office Communications Server (OCS), offering companies the ability to create a closed network through which their own people could send and receive instant messages, voice, and video communication with each other using their internal data network as the transport.
(For those old enough to remember, this is not “the beginning” by any means. Some will remember back to the original incarnations of “syscon”, a prompt line command given to allow operators to communicate with the system console operator to ask questions and communicate quick messages. This was followed by internet relay chat (IRC), sendmail and other communication applications that eventually led to the development of OCS.)
At about the same time, Skype was growing to become the largest public communications network in the world, offering instant messaging, voice and video communication, screen sharing, and more to any user who downloaded the client software and signed up for the service, for free! For additional charge users could use the interface to make telephone calls that would connect them to the public switched telephone network (PSTN).
Microsoft Competes, and then it doesn’t
Those who follow Microsoft know that there are really very few platforms, applications, or segments upon which Microsoft does not compete, and communications would certainly not be one of them. Microsoft Netmeeting eventually gave way to The Communicator which eventually became the client end of Microsoft Windows Messenger and MSN Messenger on the Microsoft Network, which would eventually just be called Messenger before it finally went away completely, replaced by the other network Microsoft purchased outright, Skype!
Why would Microsoft buy Skype if they had both Lync (formerly Office Communications Server) and Messenger (formerly called so many things)?
Many believe that Microsoft was seeking a way to become the software-based substitute for the common PBX phone switches that large corporations used to control their many telephones. Voice over IP had demonstrated that much money could be saved by eliminating corporate telephone networks and the management costs attendant to them and moving all voice, video, and other communications onto the corporate data network. Skype’s telephone interface might contain a way for Microsoft to provide that connection to the PSTN without itself becoming a regulated public utility!
So Will Skype be Public or Private?
The happy answer is “potentially both, depending upon the wishes of the network owner.”
Just as has been the case with Lync and OCS before it, including Lync Online which will now become Skype for Business Online, customers have the opportunity to control access to their private network by using a control called federation.
Simply defined, federation allows private networks to choose which external domains will and will not be allowed to communicate with users on their internal network. As an example, when CloudStrategies partners with a new software or service provider, let’s say Microsoft, the network administrator will visit a console that contains a list of those external domains allowed to “federate” with and thereby communicate with cloudstrategies.net. By adding “microsoft.com” to that list, users in the microsoft.com domain can now communicate via Skype with users in the cloudstrategies.net domain.
Network owners also have the option to leave federation “open” which will allow anyone from any domain to communicate with anyone in their domain. With very few exceptions, this does seem to have the effect of negating the value of having a private network.
What May Be Even More Interesting
We recently blogged about Yammer here in the CloudStrategies Blog. There is certainly some degree of overlap between some functions of Yammer and some functions of Skype. How or if these will be integrated, since Microsoft owns both, will be interesting to follow, and we’ll be sure to keep you posted.
The new Skype for Business clients are rolling out to Skype for Business Online users and soon will become available to users of on-premise versions of Skype for Business Server. To learn more about making the transition as smoothly as possible, and how to manage federation effectively, contact your CloudStrategies Advisor today!