Multi-factor authentication has been available for Office 365 administrative roles since June 2013, and today this capability is extended to any Office 365 user. Microsoft is also enhancing the capabilities that have been available since June by adding App Passwords for users so they can authenticate from Office desktop applications as these are not yet updated to enable multi-factor authentication. Users who are authenticated from a federated on-premises directory will also can be enabled for multi-factor authentication.
Multi-factor authentication increases the security of user logins for cloud services above and beyond just a password. With Multi-Factor Authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in.
Any of the following may be used for the second factor of authentication.
- Call my mobile phone. The user receives a phone call that asks them to press the pound key. Once the pound key is pressed, the user is logged in.
- Text code to my mobile phone. The user receives a text message containing a six-digit code that they must enter into the portal.
- Call my office phone. This is the same as Call my mobile phone, but it enables the user to select a different phone if they do not have their mobile phone with them.
- Notify me through app. The user configured a smartphone app and they receive a notification in the app that they must confirm the login. Smartphone apps are available for Windows Phone, iPhone, and Android devices.
- Show one-time code in app. The same smartphone app is used. Instead of receiving a notification, the user starts the app and enters the six-digit code from the app into the portal.
Source: http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/ Amin Tavakoli