For decades, Macro viruses are a serious problem. Does it mean that Windows, Office and VBA – all Microsoft products – are insecure?
Absolutely not. Microsoft gave you the ability to stop Macro viruses
– instantly – ever since Office existed (25 years+).
This is a technical article – for Security and IT professionals.
Reading time (7 min)
Continue reading Stop Macro viruses instantly
Just using a login id and password is dangerous. For best protection we must use two factor login – password + OTP. But this is inconvenient and irritating. Now we have a new option – Password-less login – for Office 365. This is secure as well as convenient. See how easy it is and ask your IT team to enable it for you. (5 min reading time)
This requires you to download Microsoft Authenticator app on your mobile and configure it once. You must enable the Phone Sign-In option.
Once this is done, you do NOT need to type in your password at all during login. Here are the steps.
- Go to the login page Office.com and click Sign In
- Enter the login name and click Next
- Now, instead of asking for your password, it will just display a number
- At the same time, you will receive a notification on your mobile. This notification shows three numbers.
- Choose the correct number from the mobile notification and choose Approve
- If the phone was locked at the time of receiving this notification, you will have to enter unlock code or use fingerprint or face sign-in
- That’s it. Now your login is done … without entering the password.
What happens if there is no internet connection
For the Password-less login to work, the Microsoft Authenticator app requires internet connection on the mobile. If there is no internet connection, you can click on the Use your password instead option.
In this case, you can type the password as usual. You will NOT receive a notification on mobile. But the Microsoft Authenticator app will still show the code for your account. Type that code and the login will work. The codes are automatically generated every 30 seconds. This does not require an internet connection on your mobile.
Ask IT to enable Password-less login
This is an Azure AD feature. Ask your IT team to refer to this article for details. It is just a single PowerShell command as of now (Dec 2018). Soon it will be available as an option in Azure AD portal user interface as well.
Quick guide for Office 365 MFA. Includes admin and user tasks in brief.
Admin: Enable Office 365 MFA
- Go to Admin Portal
- Users – Select the user
- Select user(s) again and click the Enable button
- That’s it. Now it is the user’s turn to take the next steps
User: Enable Office 365 MFA – first time only
- You must go to a browser – incognito / InPrivate / private mode
- Go to https://portal.office.com
- Login as usual.
- Click Next in the Additional Information dialog
- Now there are many options and this can be a confusing step
- Open the dropdown choose Mobile App and Choose Receive Notifications for verification option
- Click the Set Up option. After some processing, it will show a QR code
- Now it is time to download and install the Microsoft Authenticator App on mobile (Android and iOS)
- Open the app and from the top right menu, choose Add Account – Work or School Account
- Scan the QR code
- Now it will register the account on the mobile and you will see a 6 digit code which keeps changing every 30 seconds (does not require internet connection)
- Now click Next on the browser side.
- You will now receive an notification on the mobile phone.
Choose the Approve option.
- Now the MFA is configured.
Please note, the displayed 6 digit number is NOT REQUIRED to be entered anywhere. This is because, we are using the Receive Notification for Verification option.
- In the next step, it will ask another number for verification in case you lose your mobile. Add a different number here. Click Next.
Special password for Outlook and Skype for Business
Outlook client and Skype FB does not support MFA. Your regular account password will stop working as soon as MFA is configured. Outlook will keep asking for your password and your regular password will not work. Now you have to use a special password.
That is the one shown to you in the next dialog as Step 4. Copy that password and use the same password it for Outlook and SFB. Use one password for laptop and one for desktop / mobile, etc.
If you use any ActiveSync client on mobile, that will also require a password. Technically you can use this password, but it is better to create another one.
How to do that? Go to Portal.Office.com, click on your photo, go to My account – Security – You will see a Create App Passwords option. Create a new one from there and use it.
User: Regular Office 365 MFA login
Now onwards, MFA is enabled. Now login using two steps
Step 1: Login using UID PWD as usual.
Step 2: Immediately, you will receive the Approval notification on mobile.
Chances of your account being hacked reduced by 99% now.
Share this with everyone you love and make their digital lives also safer.
All of us know that the recommended password length is increasing all the time. Currently a complex password is recommended to be 14 characters or more. Instead of a long and complex password, you can also login using Windows Pin Security. The Windows 10 Pin can be as short as 4 digits. Pin is considered to be BETTER than a password. However, the pin looks fairly weak. Is it not?
On the face of it, yes. PIN appears to be grossly inadequate as a protection mechanism. But it is not. Obviously, Microsoft must have thought about it! How is the Windows Pin Security strong enough? Here are the reasons:
Why Windows Pin Security is better than passwords?
- PIN works only on that device. Therefore, even if someone knows your PIN, they need physical access to your PC.
- PIN is not visible on the network (Wi-Fi or network cable). Password can be stolen just by monitoring your Wi-Fi. PIN is typed locally on the PC. No chance of it being visible on the network.
- Many laptops have a special hardware chip for encrypting stuff. Using this chip to manage the PIN makes it impossible for hackers to find the pin. (This chip is called TPM. Never mind what it means.
- If someone steals the laptop, they have to guess the pin. As you would expect, there is a lockout setting with TPM chips. If the laptop does not have TPM, you can still use BitLocker and apply a group policy setting to limit failed logins.
- It is easy to get your passwords using various methods. Let us not go into details of what these methods are. What you need to remember is never to click on a random link in email or browser and never reveal the password to anyone. (period).
If PIN is stolen from you, using the same methods which work with passwords, you are still safe because of the 4 reasons listed above.
If you forget your own pin, you must login using another method and reset the pin. Also note that if you enable biometric login (face recognition or fingerprint), creating a PIN is mandatory. Why so? Because, for whatever reason if biometric does not work, you need an equally secure alternative to login (login / password is less secure). That is why you also need to set up a PIN. These new methods of secure login are called Windows Hello.
In short, if you have a choice, always use PIN (and biometric) instead of username and password with Windows 10.
DO NOT respond to any mails which ask for Urgent Upgrade. Here is a sample mail which I just received.
There is a link called UPGRADE NOW.
DO NOT CLICK ON THIS LINK.
This link leads to an authentic looking Office 365 login page. Needless to say, it is a fake page. This is called a Phishing attack.
DO NOT put your password there.
Just delete the mail permanently and do not think about it again.
I have already informed the relevant authorities in Microsoft. They will do the needful.
If you are in another country or region, you may not receive this particular type of mail. But in any case, do not trust any such mails. If you are an IT person, go to the Office 365 Admin page and check if there is a genuine need for license upgrade. If you are not an IT person, just alert your IT team.