Export (0) Print
Expand All

Two-factor Authentication Feature Guide


Topic Last Modified: 2013-06-24

This guide describes two-factor authentication features for the dedicated plans and ITAR-support plan offerings for Exchange Online. The guide covers the following topics:

This information presented in this guide is intended for an IT professional or member of a service desk staff that has familiarity with the following:

Active Directory authentication fundamentals.

The two-factor authentication solution chosen and deployed by your organization.

How to configure the web browsers in use within your environment.

Typical authentication practices that require only a password to access resources may not provide the appropriate level of protection for information that is sensitive or vulnerable. Two-factor authentication is an authentication method that applies a stronger means of identifying the user. It requires users to submit two of the following three types of identify proofs:

  • Authenticate using something only you know. To access your corporate network you are required to provide a set of credentials that confirms your identity on the network. You satisfy the requirements of the first category when you provide a valid domain username and password.

  • Authenticate using something only you have. One option to satisfy the second category is to use a Smartcard and the associated PIN as credentials – an Automated Teller Machine (ATM) is this type of experience. Other PIN oriented experiences can involve the submission of a uniquely generated one-time use PIN displayed by a fob device or the use of a personal PIN to decipher a text or numerical string to produce an actual PIN for one-time access use.

  • Authenticate using a part of yourself. Another option to satisfy the second category is biometric authentication – literally using a part of your body to prove your identity. Some examples include the following:

    • Having your finger scanned to verify your fingerprint.

    • Using an ocular scan to verify your retina or iris.

    • Facial or voice recognition.

Organizations that subscribe to Exchange Online within a dedicated or ITAR-support plan of Office 365 for enterprises can enable and use the RSA SecurID product of EMC Corporation or the PINsafe product of Swivel Secure. The chosen two-factor authentication solution involves the use of the Microsoft Forefront Unified Access Gateway (UAG) of the Office 365 environment. The UAG will manage authentication processes and present a forms based authentication page that accepts the Active Directory credentials of the user and a two-factor authentication passcode (RSA) or one-time password (PINsafe). UAG then manages the authentication processes involving the two-factor authentication backend systems deployed by the customer within their environment. UAG also will provide the pathway to the Exchange Online Client Access server if all authentication credentials are validated.

The use of two-factor authentication is not required or provided for an Outlook Web App client on a corporate intranet. A customer can configure Integrated Windows Authentication to allow the web browser-based user to have a single sign-on experience to access Exchange Online.

An overview of the two-factor authentication processes and a summary of operating environment requirements for two-factor authentication are described in the section that follows. User environment configuration steps and troubleshooting scenarios also are included..

The two-factor authentication functional concepts for the RSA SecureID and Swivel Secure PINsafe products are similar. The following scenario provides an overview of the processes to authenticate a web browser-based two-factor authentication user attempting to connect to Outlook Web App through Exchange Online from outside of their corporate network.

Referring to the following diagram, end user John is not connected to his corporate network and needs to remotely access Outlook Web App from Exchange Online. An outline of the authentication steps involved follows.

  1. To load the page:

    1. John’s machine queries a public DNS server to resolve the public IP address associated with https://securemail.contoso.com – the publicly accessible two-factor authentication portal. The address returned for the portal is a dedicated HTTPS URL namespace. This namespace is separate from URL namespaces that are reserved for services that do not require two-factor authentication such as Exchange Web Services and remote procedure call (RPC) over HTTP.

    2. The two-factor authentication portal URL is https://securemail.contoso.com. John’s machine connects to this site and requests the default page.

    3. The two-factor authentication portal receives the request and serves a logon screen that displays in John’s browser. John completes interaction with the two-factor authentication server and provides the following:

      • For RSA SecureID. Username, password, and the RSA passcode (personal four-digit PIN and the six-digit passcode displayed on the RSA fob).

      • For Swivel Secure PINsafe. Username, password, and the one time code derived by using a personal PIN.

  2. The two-factor authentication portal is configured to always pass security code information to a specific two-factor authentication server on Contoso’s network. The following security code validation steps are performed:

    1. The two-factor authentication portal securely connects to the two-factor authentication server in Contoso’s corporate environment to verify the security code and authenticate the user. (Red)

    2. The authentication server evaluates the code provided and if confirmed the server returns an authentication response to the two-factor authentication portal to complete the first authentication factor. (Green)

  3. The two-factor authentication portal connects to a domain controller on the Contoso corporate network to verify the Active Directory username and password of the user. The following domain credential validation steps are performed:

    1. The two-factor authentication portal securely connects to a domain controller in the Contoso corporate environment using the Office 365 managed domain Active Directory trust to verify the username and password of the user. (Red)

    2. The authentication server evaluates the code provided and if confirmed the server returns an authentication response to the two-factor authentication portal to complete the first authentication factor. (Green)

  4. When the user’s identity has been confirmed using the two-factor authentication model, the user is then passed directly to the Client Access server (CAS) via the two-factor authentication portal. An Outlook Web App session starts on the CAS and loads the user’s mailbox. In the background, the two-factor authentication portal encrypts the credentials and writes them to a cookie. With credentials stored in a cookie, John does not have to manually enter his credentials to access Exchange Online for the duration of the session. When the session ends, the cookie is invalidated and the credentials are no longer cached.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft