Securing Accounts on Office 365 with Multi-Factor Authentication

Securing Accounts on Office 365 with Multi-Factor Authentication

If your organization is moving to Office 365, protecting your accounts in the cloud should be a top concern.  Thankfully Microsoft offers Multi-Factor Authentication (MFA) which requires that any user with MFA enabled prove their identity in at least two of the following ways:

  1. What you know
  2. What you have
  3. Who you are

Since you’re reading this blog online, chances are you routinely deal with the “What you know” aspect, the username and password.  With Office 365, the second proof of identity involves “What you have” and is often enforced through either a text to your office or mobile phone.  As of November 2017 a “Who you are” approach is not available when logging into Office 365.  

For those not familiar with this approach, these are the steps required for a staff member to sign in to Office 365:

  1. Try to log into Office 365 (SharePoint, Planner, Teams, Outlook, etc.)
  2. Office 365 prompts for your username and password.
  3. If the username and password is correct, you are asked to enter a verification code from your mobile device.
  4. A text message is sent to your mobile device with a random code.
  5. You enter that code and if the code is correct, you are authenticated and allowed to use Office 365.

This Send-Me-A-Text approach is commonly used because it is the easiest to implement and the easiest for the staff members to use (applying the Principle of Psychological Acceptability).  But while the ubiquity of mobile devices makes implementing MFA easier, sending a text to your mobile device is open to vulnerabilities including SIM Hijacking.

SIM Hijacking Explained

Cell phone carriers utilize a Subscriber Identify Module (SIM) card inserted into a mobile device to associate your mobile device with your mobile device number.  This association is managed by cell phone carriers allowing cell phone carriers to change the association between a SIM card and phone number if your mobile device is lost, stolen, or destroyed.

If a nefarious entity was able to contact a cell phone company and switch the association with the SIM card on your mobile device and your phone number to another SIM card on another mobile device, they would have successfully hijacked your SIM card.  As a result text messages would no longer go to your mobile device but the nefarious entity’s mobile device.

While cell phone companies have levels of security to prevent this, you should not rely on other entities to adequately mitigate this attack.  If the nefarious entity has enough information on someone through personal relationships or through other database hacks (think Yahoo, Equifax, etc.) then the probability is significant.

If you are still unsure that SIM Hijacking can happen read this story on SIM Hijacking with Twitter.

The fix

To avoid SIM Hijacking, it is best to use the Microsoft Authenticator app as the default verification step instead of the Send-Me-A-Text approach.   The Microsoft Authenticator app installs on a mobile device and implements the Time-Based One-Time Password Algorithm (TBOT) which involves having the current time, a digital signature, and a shared secret, a QR Code which is provided when you configure the application.

Figure 1 – Example of QR code for setting up Microsoft Authenticator app

Once a person installs and configures the Microsoft Authenticator app (see instructions provided by Microsoft), a code is pushed to your phone that is NOT dependent on your SIM card.  Furthermore, instead of receiving a text message with the code, the code appears on the Authenticator App for you to use to sign in as the second verification step.

Figure 2 – Microsoft Authenticator App with verification code

That’s not all – there is one more step.  Microsoft offers an alternative verification option when you sign into an account just in case you can’t use the Authenticator App.  If that alternative is an actual cell phone number then SIM Hijacking is still a viable problem.  

Figure 3 – The different verification needs to be addressed to avoid SIM Hijacking

The solution is to return to where you setup the Microsoft Authenticator app and update the alternate authentication number to a bogus phone number.  In addition, as a company it is important to establish a process and educate staff on how to notify Office 365 administrators if their mobile device is lost, stolen, or destroyed.  That way Office 365 administrators can be aware of a potential security risks and provide the appropriate alternative for MFA while a new mobile device is acquired.

Figure 4 – Example of addressing different verification option with SIM Hijacking


There are quite a few steps involved to better secure Office 365 accounts with MFA, but security is only the strongest at its weakest link.  With a good governance model these security implementations can be eased into an organization and balance security without disrupting staff work drastically. Definitive Logic has the expertise to help you migrate threats and thrive in the cloud, so please contact us at for further information or visit Definitive Logic’s cloud services page.