This is an action item. It’s not theoretical. This is not an article to file away in the special folder that you use for Bruceb News articles, the ones you’ve given cute names like Deleted Items.
If you have an Office 365 mailbox, secure it with two-factor authentication.
If you are the office admin for a small business, you should require all users to use two-factor authentication.
It’s easy to set up Office 365 two-factor authentication. At the same time it’s crucially important for your security.
Don’t put it off. Just do it.
Scary stories about criminals
The bad guys are after you. Don’t preen like that, you’re not special – they’re after everybody. And they’re obsessed with getting your mail password. If a bad guy gets into your mailbox, they can reset virtually all of your other passwords, in addition to the other damage they can cause to your business, your reputation, your mental health, your bank account, your faith in fellow human beings – you know, the usual hacker stuff.
If you make a single mistake, one moment of inattention, and type your Office 365 credentials into something that looks like a Microsoft sign-in screen but isn’t, criminals will be in your mailbox and before you can say Jack Robinson they will have sent poisoned emails to hundreds of your business contacts, or shut down your business with ransomware, or tried to divert payments from your customers to criminal bank accounts.
Those are all real things that happened to people I know in the last three weeks.
Why did you say Jack Robinson? Are you from the past? Seems odd.
Links in phishing messages are likely to take you to a fake Microsoft sign-in screen. You can tell that it’s fake if you look at the address bar at the top, circled in the above screenshot, which is what you should do every single time before you type a password into anything. (Shouting, red-faced, little bits of spittle flying): Think before you click, look before you type in your password!
You have the best of intentions. I trust you. But there’s a chance you’ll slip at some point.
If you have an Office 365 mailbox, I want you to try something fun and educational.
Microsoft has a page called My Sign-Ins (https://mysignins.microsoft.com/) where you can see attempts to log into your Office 365 mailbox. Take a look! You should at least see an entry for each time you’ve started Outlook or used webmail.
I flushed with pride when I looked because apparently I have friends all over the world that want to read my email. I feel like Miss Mary on Romper Room looking through her magic mirror: I see a hacker in Brazil, and I see a hacker in Portugal, and I see a hacker in Mexico, and I see hackers in Czechoslovakia and Turkey and Thailand – and Virginia and Arizona too! Obviously I’m well-loved and popular.
I’m also frightened and hiding under my bed, but can you blame me? What an absolutely terrifying thing to see! I’m sorry I made you look. And if your sign-in screen is pristine and you’re flying under the bad guy radar today, great! Don’t get happy. It’s just an example. Don’t use missing the point as an excuse to procrastinate.
Go breathe into a paper bag until you stop hyperventilating, then come back. I have some advice. See, you’ll notice that all my global friends were unsuccessful at hacking into my mailbox. An important part of my protection comes from setting up two-factor authentication.
The basics of two-factor authentication
When two-factor authentication is turned on, you have to enter your password to get into your mailbox, PLUS you have to supply a code sent by SMS or a number generated by an app.
When you set up two-factor authentication, your account is still secure even if the password is hacked. If an account is secured by 2FA, then the bad guys can’t get into the account even if they get the password. They’ll be asked for the other thing – the text message code or the number from the app on your phone – and they won’t have any way to supply it.
You will check a box to trust your phone or computer and then you won’t be asked again for the code on that device for a while. The effect is that the inconvenience is minimized day to day but you still get increased protection because the extra step will still be required if anyone tries to sign in to your account from another device.
Turn on Office 365 two-factor authentication
Turn on two-factor authentication. Here are some notes about that process. I know, lists like this are hard to read, but pay attention if you’re going through this process.
For individuals
Click on this link to set up two-factor authentication: https://mysignins.microsoft.com/security-info
(Alternate route to the same place: sign into webmail / click on your picture in the upper right / View My Account / Security info in the left column.)
For IT admins at small businesses
Log into the Office 365 admin portal, go to the list of active users, and click on Multi-Factor Authentication in the top row. Make sure users are allowed to create app passwords (more below), and set a generous number of days for devices to be trusted before re-authenticating.
You can set up individual users or bulk users from this screen – works for businesses under 25 employees. Larger companies have different ways to enforce 2FA but that’s no surprise, enterprises have different ways to do everything.
There is a more detailed walkthrough for admins here.
Once 2FA is enabled
You’ll have to supply your cell phone number and an alternate email address (Gmail, Outlook.com, Sonic, something outside the Office 365 system).
If your business admin has checked the box to require two-factor authentication, then Outlook and mail on your phone will complain until it’s set up. Log into webmail. You’ll be led through the process to set it up.
Microsoft will suggest that you install the Microsoft Authenticator app on your phone. It will be linked to your account; you’ll use it to get the code when you log in. It’s a good choice! Follow their instructions.
(Alternatives: you can instead choose to receive codes in text messages or you can use another authenticator app – Google Authenticator or Authy. Cool. I don’t mind.)
Outlook on a PC or Mac
Current subscription versions of Outlook on a PC or Mac understand 2FA. They should take the 2FA code, let you check the box to trust the computer, and start working with no fuss.
Older versions of Outlook may simply refuse to log in. It’s a sign that you need an app password, discussed below.
The mail app on your phone
Microsoft has a mail app named Outlook for iPhones and Android phones. It’s completely separate from the mail app you’re using now and it works beautifully with Office 365. You don’t have to use it but hey, pretty good app, think about it.
iPhone: the default iPhone/iPad mail app knows how to handle Office 365 two-factor authentication. No special setup required.
Android: (edited 03/22/2021) When I removed the existing Office 365 account from the default Andoid mail app on an up-to-date Pixel, then re-added it, it handled 2FA with no difficulty.
Older Android phones – non-Pixel phones? – may not understand Microsoft’s two-factor authentication. In that case:
Alternative 1: install the Outlook app.
Alternative 2: get a special app password for the phone. It’s done from the same Security Info screen where you set up two-factor authentication: https://mysignins.microsoft.com/security-info More information here from Microsoft about app passwords. (Added 03/22/2021: if you don’t see “App Password” as an option for authentication, your Office 365 admin may need to fuss in the admin control panel. Admins: enable 2FA for that user, then click the Enforce button.)
Don’t put this off. The pain points are modest and the extra security protection is invaluable in a dangerous world. You’re anxiously trying to get a vaccine, right? This is a vaccine for phishing attacks, and you don’t have to stand in line to get it. Get protected!
Bruce,
I’m slowly moving into the 21st century, using your articles as a road map to success. Just thought I’d provide some feedback to you.
You said,
“For individuals
Click on this link to set up two-factor authentication: https://mysignins.microsoft.com/security-info
(Alternate route to the same place: sign into webmail / click on your picture in the upper right / View My Account / Security info in the left column.)”
The first method fails with individual accounts. It results in:
“You can’t sign in here with a personal account. Use your work or school account instead.”
The alternate method works with no problem.
Thanks for all your efforts to keep the world safe and sane.
Steve
I’m still trying to figure out the ins and outs of this process! And the message you ran into, “you can’t sign in here with that kind of account” – that has been happening randomly in both directions. I’ve also seen a variation on it when I put in a work account and MS decides only a personal account will do at that moment, even though it’s not obvious why that’s true.
This seems to be a better link to get started, but possibly only for work accounts: https://aka.ms/mfasetup
Glad you got thru it!