Two-Factor Authentication on iOS, Android and Windows Phone using Azure Authenticator

Summary

New versions of Microsoft Azure Authenticator came out last week. It runs on iOS, Android and Windows Phone and now supports two-factor authentication for almost all of your online accounts. I'm now using it in place of several other apps.

In this article we'll see how to use Azure Authenticator to set up two-factor authentication on more than one device at once for a few fairly common accounts such as Google, Facebook and Office 365 and Hotmail/Outlook from Microsoft.

Before you start you should know that you will need to have all of your devices with you when it's time to scan the QR code for each account.

NOTE: Office 365 uses Azure Active Directory by default. Due to the way the verification in Azure AD works, it's not possible to activate more than one device at once for these accounts (it doesn't use the time-based, one-time password (TOTP) algorithm, preferring instead to call back to the server). However, as we will see, the numerous back up options available mean that this is not a major inconvenience.

Background

Having had several different apps available for various types of Two-Factor Authentication, last week Microsoft released new versions of Azure Authenticator for Windows Phone and Android, hot on the heels of a new iOS version released slightly earlier.

Don't be fooled by the name; this app is not just for logging in to your Azure account. In fact, now that the app supports several new types of account including Facebook, Google and any other provider that supports OATH one-time passcodes (such as those supported by Google Authenticator) it's actually worth using even if you don't own a Windows Phone. The good thing about this kind of authentication is that you don't need to be connected to the internet to generate the codes. This means you don't need a mobile phone signal to authenticate. If you want to know why this might be relevant, ask me about the time I was trying to login to Azure five minutes before delivering a talk (on Azure) downstairs in a pub in Reading.

I have set it up on my mobile phone (a Nokia Lumia 930) and also on a backup device (an iPhone 5) so that I can get into my accounts easily if anything happens to my phone. If you're the sort of person who has a spare mobile phone in a drawer somewhere in case you lose or break your proper mobile phone, then you might want to do this too.

Passwords alone are not enough

These days most people know that using a secure password is not necessarily sufficient to protect yourself online and it's not uncommon to hear of password information being stolen. Indeed, major data breaches are becoming depressingly common. Or to put it another way, just because you are careful with your password, that doesn't mean that the account provider is also as careful.

See if your accounts have already been compromised in a data breach

If you haven't already done so, you should probably check your email address at https://haveibeenpwned.com/. It's a trustworthy site from Troy Hunt which will let you know if you have an account which has been compromised in any of several fairly major data breaches, some of which you probably haven't even heard about. Read more about it here.

You can mitigate the threat of these data breaches somewhat by using Two-Factor Authentication (sometimes called two-step verification) where possible. Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) and basically means using something you know (your password) and something you have (e.g. your mobile phone or a secure token) to prove you are who you claim to be. The most common example of two factor authentication with which most people are familiar is the use of a bank card and PIN to obtain money from an ATM, or using a Chip and PIN device to pay for goods.

Which online services support two-factor authentication?

Whilst two-factor authentication has been around for a number of years, a lot of companies have been slow to adopt it. You can see a long list of companies along with details of whether or not they support 2FA at https://twofactorauth.org/.

I think that in most cases when using a mobile phone app it's somewhat of a misnomer to refer to this as two-factor authentication, since you usually need either a passcode or a fingerprint to unlock the device before you can access the app.

Now let's look at setting up two-factor authentication for a few common online accounts.


Facebook

To set up Facebook to use Azure Authenticator you need to enable Login Approvals and also the Code Generator.

Click on the small down arrow at the top right of the page and choose Settings and then Security (on the left hand side). Select Login Approvals.

As soon as you tick the checkbox, you will continue with the setup wizard.

When asked what kind of phone you're using, select Other.

You will be sent a code (via SMS) which you need to enter.

And then you are presented with this confirmation.

Now that you have successfully set up Login Approvals, you need to switch from codes delivered via SMS to codes generated by the Azure Authenticator app.

Select Code Generator.

Now choose Set up another way to get security codes and you will be presented with a QR code.

Scan the QR code with each device before entering the code that's displayed in the app. The code should change every thirty seconds and each device should be showing the same code.

Now when you login to Facebook from a new device or browser you will have to enter a secure code from you Azure Authenticator app.


Google

Go to https://myaccount.google.com/security#signin and select 2-step Verification.

NOTE: If you're using Google Apps and this option isn't available then your administrator will need to enable it which they can do by going to https://admin.google.com/AdminHome?pli=1&fral=1#SecuritySettings:flyout=basic and allowing two-step verification like this:

When you first set up 2-step verification for your Google account, you are forced to add your mobile phone number and to receive your first code via SMS or voice call. This means you will need a mobile phone signal when you set it up. You will only need to do this once, however.

Enter the code and click Verify.

Now choose Switch to app like this:

You don't need to choose which type of phone you're using.

Now for the important bit.

As with the Facebook account, you need to scan the QR code with each mobile device before clicking Verify and Save.

Enter the six-digit code and click Verify and Save. Next you can choose whether or not to trust your computer, which means that you won't need to enter another verification code for thirty days. Finally you are asked to confirm that you want to turn on 2-step verification and then you are done.

Now when you go to https://accounts.google.com/b/0/SmsAuthSettings#devices you wil see this confirmation that you are using the Google Authenticator app (although in fact you're using Azure Authenticator).


Microsoft Account

First go to https://account.microsoft.com/ and choose Manage advanced security.

UPDATE: This has changed everso slightly so the image above is no longer correct. Go to https://account.microsoft.com/ and then choose Security & PrivacyMore privacy settings.

Or you can skip that and still go straight to https://account.live.com/proofs/Manage as before.

Now scroll down to Identity verification apps and click on Set up identity verification app

Choose one of the options (it doesn't matter which) and click next.

If you've already set up the Authenticator app, you will see this:

Scan the QR code with all of the devices you want to use.

Finally, enter the six-digit code from the Azure Authenticator app and click Next.


Office 365 or Microsoft Azure

Office 365 uses Azure Active Directory to manage its users.

Go to https://portal.office.com, click on the settings cog at the top right hand corner of the page and choose Office 365 Settings

Now choose Additional security verification → Update my phone numbers used for account security.

Alternatively, if you're using Azure or have already linked your Azure and Office 365 directories, just go straight to https://account.activedirectory.windowsazure.com/Proofup.aspx

Notice the alternative forms of verification and click the large Configure button for the Azure Authenticator app and you will see a QR code which you need to scan using the app.

As previously alluded to, you can only activate this on one mobile device as the app calls back to the server as soon as you scan the QR code.

Conclusion

Two-factor authentication (sometimes written as 2FA) is a great way of increasing the security of your online accounts as it requires you to use a combination of something you have in your possession (e.g. your mobile phone) and something you know (e.g. your password). Yes it's slightly inconvenient, but this inconvenience is massively outweighed by the fact that it provides significantly greater security. More and more companies are now offering two-factor authentication and you can see a fairly comprehensive list of those that do at https://twofactorauth.org/.

There are a number of mobile phone apps to facilitate two-factor authentication with my current favourite being the cross-platform Azure Authenticator from Microsoft. We've seen how to set this up on several devices at once so that we can have a backup device, "just in case".

Whilst Azure Authenticator is very good, it doesn't really matter which particular app you use; the important thing is that more companies should offer two-factor authentication and you should use it when they do.