You have an account, you have a password, you are using a Password Manager but now you need to use some technical thing called multi-factor authentication!

In essence, mutli-factor authentication (MFA) is an approach to ensuring you are who you say you are by asking you to use more than just a password. A password is secure until it is written down, said out loud or so simple that it can be guessed. So if we assume that the password is no longer secure, then we want an additional method of confirming that it is you who entered the password. This is where MFA comes in.

How does MFA work?

There are many applications and services that offer the use of MFA and there are many ways that MFA can be implemented. The usual process when you sign in to an account follows these steps:

1. Enter your username/email address
2. Enter your password And after that you are logged in.

When MFA is in use, the process looks something like this:

1. Enter you username/email address
2. Enter your password
3. Provide an MFA verification through one of the following, common methods:

• Use a biometric validation such as fingerprint or face scan
• Enter a code that is emailed or texted to you
• Enter a code that is generated in an MFA app or on an RSA key
• Approve through an app

In this post, I will go through the process for using Microsoft Authenticator (Google Play Store, Apple App Store) with a Micrsoft 365 account and other apps that use the generated code approach.

What is Microsoft Authenticator?

This app is a secure way for an app to confirm that it is you who is entering a password by generating a code to be entered or allowing authorisation directly through the app.

Setting up the App

Microsoft provides detailed information on how to set up the App with a Microsoft 365 account: Set up instructions

Usually this is done once, when you get a phone which does not have the App installed. Once set up then the app can be used for MFA prompts in relation to your Microsoft 365 account.

Configure the App

The Microsoft Authenticator App provides several services, some of which overlap with those provided by Password Managers. Personally, I keep the purposes separated as the features provided by the Password Managers are more comprehensive and better aligned to sharing between family members.

To configure the App:

1. Click the three vertical dots in the top left corner:
2. “Show/Hide codes”
   • This setting presents the temporary codes that are often required as part of the authentication process on the home screen and therefore saves an additional click to view the account screen
   • This is recommended to be set to show codes as long as the App lock setting is set to be on - see the next section on “Settings” for details of this setting
3. “Settings”

   Part 1	Part 2	Part3

The key settings from a security perspective are:

• Notifications
  • Sound/Vibrate - How do you want to be notified that you need to use the App to authenticate
  • App updates - got to keep the app up to date!
• Backup
  • Cloud backup - If you change your phone, all the settings can be restored. I recommend you use your Microsoft personal or work account for this
• Security
  • App lock - This should be toggled on so that the app cannot be opened without providing biometric verification of the user. This results in the requiremnt for biometric authentication to allow the App to authenticate. This is highly recommended to ensure that the App cannot be used if the phone is lost or stolen
  • Screen capture - In the screen shot, this is set to on, as otherwise it is not possible to take a screen shot. This is recommended to be on
• Work or school accounts
  • Device registration - Depending on how your Microsoft 365 tenant is configured, it is possible to register your device so you can use it authenticate instead of entering a password. This is enabled by default for Microsoft personal accounts for services such as Outlook.com
• Autofill settings
  • As I am using a Password Manager for these capabilities, I have these switched off as only one provider can be configured on a phone

Adding other accounts

The use of MFA is recommended for all accounts, if it is supported. Because of this many platforms use MFA and can be setup to use the Microsoft Authenticator App.

The process for setting up MFA and will be similar to the steps described below:

1. Open the platform or app
2. Navigate to the security section of the settings and follow the prompts to use an app
   • Facebook: Account > Settings & Privacy > Settings > Security & Login
   • LinkedIn: Account > Settings & Privacy > Sign-in & Security > Two step verification
   • Twitter: More > Settings & Privacy > Security & account access > Security
3. Open the Microsoft Authenticator App and click the three vertical dots in the top right
4. Click “Add account”
5. Scan the QR code provided by the platform or app you want to use authenticate to with the Microsoft Authenticator App

Using the App

Once setup, the most common way that the app is used in the authenitcation process is as follows:

1. Open app or web page
2. Enter user name and passwrod
3. If valid, you will be promted to enter a temporary code generated by the Microsoft Authnticator App
4. If the right code is entered, the authentication is completed

To access the codes related to the apps and platforms that you have set up, if you have configured the setting to show codes, all you need do is open the app and authenticate.

For each service, if there is a temporary code you will see the code and the amout of time before it will be automatically refreshed. If you require the code on your phone, you can tap the code and it will be copied so it can be pasted into the prompt requesting it.

Summary

Multi-factor authentication is an essential tool for maintaining the security of content and ensuring that it is as difficult as possible for unauthorised people to gain access to our accounts. As more and more services enable this type of authentication, the need for an app of this sort grows, and becuase it can support multiple services, it is a good choice for anyone with a Microsoft account.