Aug 24 2019 04:49 AM
I enabled it for three users yesterday but had to turn it off shortly after as they all had iPhones and it kept prompting for app passwords which were trying to avoid using. I read that Apple devices using version 11 or higher support modern authentication but the catch is you need to remove the Exchange account then add it back in after 2FA is enabled so I’m going to try that Monday. I know we can use the Outlook app but they don’t want to use that unless they have to.
Next, originally I had those initial three users set up to use the Microsoft Authenticator with the prompt as the second authentication method but after thinking about that I think maybe the PIN code would be a better idea as I feel like my users would get used to seeing the prompt and just hit approve every time they see it. In the sense, does the PIN code seem more secure?
Aug 24 2019 11:24 AM
By PIN code do you mean the code displayed inside the Authenticator app? The general guidance is to use the least disruptive method applicable, and nowadays you can also configure passwordless auth which prompts them to select one of three numbers, so they cannot just hit approve.
Aug 25 2019 05:33 AM
SolutionAug 25 2019 12:33 PM
@Vasil Michev Pin code from the authenticator app or via txt. Either one. My concern is that let's say someone is trying to phish one of my users. Assume they already have the password to the email account. They attempt to login as one of my users, my user gets a prompt to approve or disapprove on their mobile device. Since they will see that from time to time by design over a period of 90 days I'm worried that they will just approve it every time whereas if they were using the txt code or PIN from the app, they can't simply just approve it.
Aug 25 2019 12:34 PM
@Chris Webb Thanks, that's what I was thinking. Just wanted to see if anyone else has that same opinion.
Aug 25 2019 05:33 AM
Solution