Office 365 OTP should not be accepted if not supported

kathampy

The Office 365 Multifactor Authentication barcode is accepted by 1Password but as expected the codes don't work. Other apps like Authy or Google Authenticator seem to be able to determine that they can't generate Office 365's OTPs and thus reject the barcode.

You should either add support for Office 365 or actively reject barcodes which the app isn't sure about.

Ben

Thanks for letting us know about this, @kathampy!

I wasn't able to test this personally as I don't have an Office 365 account, but I've filed a bug for our developers to investigate.

ref: OPI-2495

Unknown

This content has been removed.

Ben

Hi @cobaltjacket,

The issue is with the two-step authentication one time password, not with your usual username/password credentials. :)

Thanks!

Unknown

This content has been removed.

Ben

Interesting. @kathampy, have you tried re-adding the OTP secret?

kathampy

Office 365 for Home is just a standard Microsoft Account. Office 365 for Business is a different account with a custom Multifactor Authentication app. The Office 365 website redirects you to a different login page depending on the type of account.

You actually need to pay a $1 subscription fee to activate TFA on a business account.

Ben

So 1P works with OTP for Office 365 Home but not Office 365 for Business?

kathampy

Yes. Even though both are paid services, Office 365 Home just redirects you to the regular Microsoft Account page. Office 365 Business is an Azure Active Directory account. It actually supports using either an app generated code, an SMS code, a telephone call or a push notification which you can just tap. You may be able to add support for just the app generated code.

Editing the security settings on a business account to even enable TFA takes you to the dedicated Azure Active Directory website to manage the account.

Ben

I see. I will clarify the bug report then. Thanks!

MrRooni

@kathampy I'm currently looking into this problem. Could you possibly share with me the secret (or some variation of the secret) that 1Password captures from the Office 365 for Business site? If the secret is a URL I'd recommend replacing any identifying information with dummy info and the actual secret code with different letters and numbers (but the same length). If you'd prefer to email me the secret you can do so at mrrooni@agilebits.com. Thanks!

kathampy

@MrRooni
CODE: 123 456 789
URL: https://abc12defgh34.phonefactor.net/pad/123456789

I've randomized the letters but the lengths are the same. This is the information provided to manually configure the app instead of the barcode.

MrRooni

I see. Thanks @kathampy. That's the URL that comes from the QR code?

kathampy

@MrRooni No that's the information they give to manually configure the application. This is the URL scanned from the QR code:
phonefactor://activate_account?code=123456789&url=https%3A%2F%2Fab1cdefg23.phonefactor.net%2Fpad%2F123456789

kathampy

I'd like to clarify that the Code and the numbers in the URL were not the same, even though I replaced them both with 123456789.

MrRooni

Thanks @kathampy. I appreciate you taking the time to post that here. I'll update our bug report with that information and see if there's anything we can do.

MrRooni

@kathampy, if you take the code out of that URL and use it in place of the entire phonefactor:// URL in the one-time password field, does it generate a valid one-time password then? Your one-time password field would look like so:

kathampy

Using just the Code value doesn't work.

MrRooni

Thanks for checking @kathampy. I did some more digging and it appears that Office 365 for business uses a one-time password generator that currently has no software development kit for Mac/iOS, so we may be out of luck for now. Are you currently using their app to perform the second factor verification? https://itunes.apple.com/us/app/multi-factor-authentication/id475844606?mt=8

kathampy

Yes I'm using their app.

Ben

Okay. Thanks for letting us know about this issue, and for taking the time to further troubleshoot it with us. If we have further questions we'll be in touch!

Nimish Telang

+1 For this. I got very confused when 1p accepted the QR code but was generating bogus passwords. It'd be nice to have a message that says that these aren't accepted.

MrRooni

Thanks for the upvote, Nimish. I just checked and it appears that Microsoft has not yet made their SDK available for iOS. I've created another ticket in our bug tracker to ignore phonefactor:// TOTP URLs.

Let me know if there's anything else I can help with.

vashachiroku

MrRooni,

Is this still the case that there are no SDK? If so I can ask internally about this as I know a lot of MS people use 1Password. However, the reason it might not exist is if you have used the Azure Authenticator app there are multiple ways it works.

1.) OTP code (changes every 60 seconds)
2.) Approval code (Azure app sends you a notification and you must click APPROVE)
3.) Internally MS (Notification sends & Must enter a additional PIN number, iOS you can use Touch ID rather than entering in PIN)

Fraud is another big thing from the App you can submit a Fraud attempt on your account which will basically lock the account for security reasons along with notify admins/security teams, etc.

littlebobbytables

Greetings @vashachiroku,

Now I hold my hands up and confess I'm no @MrRooni but I think this hasn't changed. I suspect MrRooni won't be around much over the next day or so we'll wait and see if he confirms if this is the case.

MrRooni

Good morning @vashachiroku. Last I checked there was still no option for us here. If something does become available we will certainly evaluate it. Happy new year!

Stefan Schweizer

Run in the same issue today. But if you select generating OTP without Push and then scan the QR Code it generates a proper OTP thru 1P it only doesn't work if you want the push notification which you can tap with the approve or deny buttons in the app.

Ben

Interesting! Thanks for letting us know, @Stefan Schweizer.

Ben