Microsoft 365 can't use 1Password for 2FA/OTP/MFA?

TJLuoma

I tried to use 1Password on my Mac to enable Two-Factor/Multi-factor/One-Time Passwords/whatever on my Microsoft Office 365 account.

I was finally able to get a QR code, but when I tried to scan it with the Mac app, the 4 corners just flashed (I think between blue and red).

So I tried it with my iPhone and scanned the QR code and it said “Incompatible QR Code”.

Questions:

1. I assume that I was supposed to deduce from the flashing 1Password-For-Mac QR code scanner that it meant "Incompatible QR code" but it would have been a much nicer experience if it had just said that.

2. I assume that this is Microsoft not following the same spec (or whatever) as all of the other sites out there that use Google Authenticator compatible services. Because they want me to use the Microsoft Authenticator app on my iPhone (the whole point of doing this is so they'll stop sending me my 2FA codes via SMS).

3. Is there a way to get Microsoft 365 to work with 1Password for 2FA/etc/I'm not typing all of those acronyms again?

---

1Password Version: 7.6
Extension Version: Not Provided
OS Version: macOS version 10.15.6 (19G73)
Sync Type: 1Password.com

ag_ana

Hi @TJLuoma!

I have just tested this by disabling and enabling 2FA once again in my Office 365 account, and 1Password managed to read it correctly this time too, so that QR code is certainly supported.

Can you point us to what URL you are using to try to scan this? Perhaps you are using a different one (I used the one I found after logging into my Office 365 account > My Account > Security > Turn on two step verification).

TJLuoma

Well, that's super annoying.

I wonder if this is different because it's Office/Microsoft 365 for a business. rather than a personal account.

Here's what I see:

ag_ana

@TJLuoma:

You might be right here, it's possible that it's because it's a business account. We discussed this before on the forum: is it possible that your organization has restricted 2FA apps to just Microsoft Authenticator?

TJLuoma

Well, I'm the admin for our organization, so I assure you that if that restriction is in place, it is not intentional!

ag_ana

@TJLuoma:

Got it! In that case, you can change the setting I believe. If you read the rest of the other forum discussion I linked to, you can see that a couple of users posted some suggestions and documentation about this Microsoft setting (here and here) ;)

TJLuoma

Aha! So it appears that the options are: 1) Require Microsoft’s authentication app or 2) Use SMS. There is no option apparently for “Let them use an authentication app that is not Microsoft’s”.

Why would Microsoft not use the same— I'm not even going to finish asking the question, because it's a waste of time and energy, and I suspect the answer is "Because Microsoft."

¯\_(ツ)_/¯

Anyway, thanks for the help!

Ben

Thanks for the update @TJLuoma. In some ways I'm glad to hear the problem is not on our end... in others... well. Sorry. :(

Ben

jmsarachaga

I think this is not anyone's bug in any way, by default Microsoft shows a propietary QR code (just for their app, incompatible with the rest), but you can click on "I want to use a different authenticator app", and then it shows a standard QR code for use in any other app ie 1Password.

https://mysignins.microsoft.com/security-info

When setting security on you MS account, after you clicked on "Add method" -> "Authenticator app", you get a modal window "Start by getting the app", at the bottom you see the link to use a different app, and then you will be able to scan a compatible QR code.

Regards

plttn

@jmsarachaga This depends specifically on settings. If one is talking about a personal O365 account, then yes, you could use a standard TOTP app. However, if using a corporate O365 account, there is an option for the administrators of the tenant to mandate use of the Microsoft Authenticator app.