How to Use 1Password as an authenticator for sites with two-factor authentication Microsoft Office

richardlabelle
richardlabelle
Community Member

How to setup 1Password as an authenticator for sites with Microsoft Office that has two-factor authentication and multiple apps under the Microsoft Account i.e. Outlook, Office, One Note, etc....


1Password Version: 6.8 (680015)
Extension Version: 4.6.9
OS Version: MacOS Sierre 10.12.6
Sync Type: iCould
Referrer: forum-search:How to Use 1Password as an authenticator for sites with two-factor authentication with Microsoft Office that has multiple Apps under the Microsoft Account i.e. Outlook, Office, One Note, etc...

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @richardlabelle: 1Password supports the TOTP standard, which Microsoft does not appear to be using, so it isn't possible at this time to use 1Password as an authenticator for Microsoft services. I hope this helps. Be sure to let me know if you have any other questions! :)

  • Manaburner
    Manaburner
    Community Member

    Hi @richardlabelle
    I have setup 1Password as my 2FA for my outlook.com account and it's working perfectly fine. However I can't say anything about office365 because I don't own such an account.

  • There are a good number of proprietary 2FA systems out there, and it's unfortunately not possible for us to support them.

    Rick

  • richardlabelle
    richardlabelle
    Community Member
    edited August 2017

    Thank you ALL for your help. I's was very much appreciated!

  • You're very welcome. Let us know if you have any more questions.

    Rick

  • gmaddry
    gmaddry
    Community Member

    MS authenticator is compatible with Google and 1Password. When setting up you must select other device and MS will give you a chance to set up another app. I just did it so it works.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Yeah, I guess it depends on how you set it up. Thanks for pointing that out! :)

  • sarx85
    sarx85
    Community Member

    Just like OP, I did not enjoy the experience of having to use MS Authenticator for this one Office 365 login. I tried the method suggested by @gmaddry, it works perfectly with Office 365.
    A big headache solved, I live about 45 mins away from work and my cell phone text message and the MS authenticator app were the only way for me to sign into my work email. I was dreading the day I have to drive back to get my cell phone to sign into my work email account.

  • Great to see that that worked out for you, @sarx85.

    Rick

  • shlgug
    shlgug
    Community Member

    Note that when setting up 2-factor authentication for Office 365 through Azure, click the "configure app without notifications" link and scan that code to get it to work with 1password.

  • AGAlumB
    AGAlumB
    1Password Alumni

    :) :+1:

  • msxtj
    msxtj
    Community Member

    Can we please have this as a feature request: 1Password to support Microsoft Authenticator?

    I think there are few big guys out there: Google Authenticator and Microsoft Authenticator. At least supporting both would be great.

  • Hi @msxtj

    Google Authenticator works based on the TOTP standard, which is the most common form of 2FA, and is also what 1Password's implementation is based on. I'm less familiar with Microsoft Authenticator, but it appears it supports the TOTP standard as well. They may also support other standards, perhaps even proprietary ones, and as Rick said above:

    There are a good number of proprietary 2FA systems out there, and it's unfortunately not possible for us to support them.

    Ben

  • msxtj
    msxtj
    Community Member

    Coming back to this comment as it's still painful to have to use multiple 3rd party apps when I'd like to use one app (1Password) for OTP.

    Look, Microsoft is not a small company. Everyone has heard about it and many of us use Microsoft services.

    A value proposition for 1Password is that the team dig into what Microsoft Authenticator uses to implement the 2FA system that Microsoft uses. This will be much appreciated by all Microsoft-services users.

    Thank you!

  • AGAlumB
    AGAlumB
    1Password Alumni

    We don't have plans to do that. It's not something that's supported by Microsoft, and even if we somehow figured it out ourselves (or someone else did) I think you can agree it would be really, really bad for you if Microsoft changed how it works later and you got locked out of your account(s) as a result. :)

  • msxtj
    msxtj
    Community Member

    I am not so sure about that.

    From Microsoft's official website:

    The Microsoft Authenticator app also supports the industry standard for time-based, one-time passcodes (also known as TOTP or OTP). Because of that, you can add any online account that also supports this standard to the Microsoft Authenticator app. This will help keep your other online accounts secure.

    Bottom-line, 1Password team can look into said industry standard.

  • Ben
    Ben
    edited November 2019

    I understand how you might've gotten that impression, but this quote is taken out of context. It appears below a paragraph where they talk about the proprietary 2SV for Microsoft accounts. In this paragraph you've quoted they talk about how the authenticator app also supports the TOTP standard (the same standard we support). Also meaning in addition to, in this case. I.e. The Microsoft Authenticator app supports both their proprietary option, as well as the industry standard. The last portion of text under that header that contains the quoted paragraph says

    For instructions on how to add other online accounts, read Add your non-Microsoft accounts.

    [emphasis mine]

    In short: there are two different things that the Microsoft Authenticator app can do.

    1. Whatever proprietary technology Microsoft is using for 2SV for their own accounts. This is not an industry standard, and not something we can support in 1Password.
    2. TOTP, which is an industry standard, and is already something 1Password does.

    Does that make more sense?

    Ben

  • guillaumeserton
    guillaumeserton
    Community Member

    @msxtj
    Are you using O365 with a professional account?
    If so, the way that the Microsoft MFA works fully depends on what the settings your company admins have choosen.
    Take a look here: https://docs.microsoft.com/fr-fr/azure/active-directory/authentication/howto-mfa-getstarted?redirectedfrom=MSDN#

    So if they decide for example to set SMS + MS Authenticator App, that means you are able to use 1password as the app for your password and unique code.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @guillaumeserton: That's very interesting! I hadn't heard of that option before (though it sounds like it's not configurable by end users). Thank you for sharing! :)

  • Absolute
    Absolute
    Community Member

    Just a quick update to this. I deliberately forced 2FA on a couple of our Office 365 E3 users.

    Then went through the procedure of entering the 19 character code into 1Password's One-Time Password field, saved and then used the generated 6 digit code when prompted. All works fine on the microsoftonline and OWA. As someone mentioned before, you can't use the built in Code Scanner, you have to type in the 19 character code.
    However it doesn't work in Apple Mail, for that to work you need to generate an 'app password' which a number of 365 admins won't allow as it effectively bypasses the need for 2FA.
    If your admin allows it, then head over to https://aka.ms/CreateAppPassword and create a password for the app you intend to use it for.

  • msxtj
    msxtj
    Community Member
    edited November 2019

    @guillaumeserton Yes, I am using a professional account.

    For normal Microsoft accounts, an otpauth://*** link is generated and is supported by 1Password, but for my O365 account, a phonefactor://*** link is generated, which 1Password does not understand, probably because the OTP is linked to a phone number.

    From previous comments above, it was mentioned that 1Password does not support Microsoft services ("1Password supports the TOTP standard, which Microsoft does not appear to be using, so it isn't possible at this time to use 1Password as an authenticator for Microsoft services. "). The comment was from 2017 though, which is not valid anymore.

    As per my research and testing, 1Password works for normal Microsoft accounts (e.g @outlook.com), but does not work for O365/work/edu accounts.

    @Mike of Oxford (can't probably tag you due to spaces in your username): Can you explain the detailed steps how you entered the 19 character code? All I have is the phonefactor://*** url.

    Thanks!

    (Edited by moderator to fix the @ mention -- using quotes works, e.g. "Mike of Oxford")

  • Absolute
    Absolute
    Community Member

    @guillaumeserton I'll try and enable another user for 2FA and go through the steps again, as it doesn't seem to let you revisit the procedure once you've successfully setup TOTP. I know I had to ignore the QCode bit and select a different option.
    My bad for not screenshotting the whole procedure! Will update once I can validate each step.
    Re my username, I can't find a way to edit it once it's setup, so maybe need an admin to remove the spaces?
    Cheers
    Mike

  • guillaumeserton
    guillaumeserton
    Community Member
    edited November 2019

    Your right Mike of Oxford
    Here is the procedure : https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-setup-auth-app
    So, If you are using 1P, you have to click on the link "Configure App without notification", then you will get a new QR Code / URL that works with 1P.

    @msxtj
    I confirmed you it's working as I'm using 1P as my mfa app for my MS Services.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited November 2019

    @msxtj: Ah, Phone Factor! I know what that is! That's a blast from the past.

    @Mike of Oxford, @guillaumeserton: Thanks for the tips! I'm sure that will help others as well. :chuffed:

  • @Mike of Oxford If you'd like help with changing your username to make it easier for people to @ mention you please reach out to us at support+forum@1password.com. Thanks! :)

    Ben

This discussion has been closed.