Explore top-rated data protection at an affordable price

  • Customer stories

Learn how organizations of all sizes and industries successfully protect data with NAKIVO

  • Product Datasheet
  • Backup Solution for MSPs
  • Backup for Virtualization
  • Microsoft 365 Backup
  • Ransomware Protection
  • Real-Time Replication BETA

Gartner® Magic QuadrantTM

Enterprise Backup and Recovery Solution

  • Virtual: VMware | Hyper-V | Nutanix AHV
  • Physical server: Windows | Linux
  • Workstations: Windows | Linux
  • SaaS: Microsoft 365
  • Cloud: Amazon EC2
  • File Share: NAS | File Server
  • Apps: SQL | Active Directory Exchange | Oracle Database
  • Virtual: VMware | Hyper-V
  • MSP SOLUTION
  • DISASTER RECOVERY
  • VMware Disaster Recovery
  • REAL-TIME REPLICATION beta
  • IT MONITORING
  • Backup Malware Scan
  • SMB | Enterprise | Education Remote Office Backup Hybrid Cloud Backup
  • Raspberry Pi
  • Western Digital
  • Backblaze B2
  • S3-Compatible Storage
  • EMC Data Domain
  • HPE StoreOnce
  • NEC HYDRAstor
  • Backup from HPE Storage Snapshots
  • Pricing and Editions
  • Pricing Calculator
  • Get a Quote
  • Find a Reseller
  • Find an MSP
  • Renew License

More growth opportunities with the NAKIVO Partner Program

  • Why Partner
  • Solution Partner Signup
  • Deal Registration

Grow your customer base with powerful BaaS and DRaaS

  • MSP Partner Signup
  • Technology Partners
  • Storage Certification Program
  • Log In to the Partner Portal
  • SUPPORT RESOURCES

Find answers to your questions in our technical documentation

  • Knowledge Base
  • Release Notes
  • API Reference Guide
  • SUPPORT CENTER

Reach out to our highly-rated support team about any issues

  • Send Support Bundle
  • How-to Videos

Office 365 App Passwords and Multi-Factor Authentication: Complete Overview

The number of social engineering attempts and phishing attacks has been on the rise for years. Moreover, cybercriminals have been quick to take advantage of any newly discovered software vulnerabilities. One simple way to minimize the risks of a breach and to strengthen access security is using multi-factor authentication (sometimes called two-factor authentication) for logins in addition to a username and a password.

In Microsoft Office 365 environments, multi-factor authentication is supported. It allows you to implement stronger access requirements in accordance with your organization’s security policy. Discover more about multi-factor authentication and how to use it in Office 365 applications.

Backup for Microsoft 365 Data

Backup for Microsoft 365 Data

Use the NAKIVO solution to back up Microsoft 365 data in Exchange Online, Teams, OneDrive and SharePoint Online for uninterrupted workflows and zero downtime.

What is Office 365 App Password?

Office 365 App Password is a special code that allows you to access your Office 365 account and Office 365 applications. It is related to Azure multi-factor authentication configuration. You should separately generate app-specific passwords for each device that you use to access Office 365 applications, but the same Office 365 app password can be used on the same device.

Office 365 app password is the alternative to multi-factor authentication for applications that cannot natively support MFA and for non-browser applications.

Create an App Password for Office 365

  • Click your avatar or user icon in the right top corner and then click the My account option.

Configuring Security and privacy to set Office 365 app

  • To make this option available, sign in to the Azure portal and check the Multi-factor authentication settings page.
  • Select the Allow users to create app passwords radio button.
  • In the account options, select App password and click Create to create Office 365 app password.
  • Enter the name for Office 365 app password, for example, Outlook365. Copy the generated password to the clipboard and save it in a safe place or write down the Office 365 password manually.
  • After you generate app-specific passwords, you can apply them to Office 365 applications such as Outlook to log in.

What Is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a method to confirm the identity of a user by requiring multiple credentials before authorization and before providing access to a website, application or other resources.

Two-factor authentication involves 2 steps:

  • The user has to enter information that only they know.
  • The use has to confirm their identity by providing additional information that can only be accessed by them, for example, a confirmation call, SMS code, USB key, fingerprint, face image, etc.

Generally, the types of information used by MFA can be classified into three types:

  • Knowledge – something you know (a password, pin code, etc.)
  • Possession – something you have (a cell phone, USB key, smart card, token, etc.)
  • Inheritance – something you are (biometric data such as fingerprint, your eye, your face, etc.)

With MFA used, a system can ensure that the real user is entering the username and password and not a malicious actor who has compromised the user’s account by stealing the username and password. MFA is highly recommended for internet banking. However, if the information in your Office 365 documents and your Office 365 email account is very important to you, you can also configure MFA for Office 365.

Sometimes two-factor authentication, which is a subset of multi-factor authentication, and two-step verification are mixed up (and cause confusion). Although both are used for similar purposes to confirm the user’s identity, they differ in an essential way:

  • Two-step verification relies on the user entering something that only they know, for example, a password with the additional step before being granted access involving an element of the same category (for example, two keys, two passwords, etc.). This type of verification always uses something only you know as the first step, and the combination of something you have and something you are is never used.
  • Two-factor authentication requires two elements from different categories – for example, the user has to enter something they know and something they have.

Using multi-factor authentication and two-step authentication may be inconvenient. For example, you may forget to take your phone with you or you may lose your phone, making authentication more complicated.

Types of MFA for Office 365

Office 365 offers three main types of MFA:

  • Authentication phone: SMS or call
  • Office phone
  • Mobile app: Receive notifications for verification or use verification code

How to Enable MFA for Your Office 365 Account

If you use Office 365 in your organization, MFA must be enabled for the organization or for separate users who need this option. After that, a user can set up the multifactor authentication for the Office 365 account.

  • Go to the web page to authenticate in Office 365: https://login.microsoftonline.com .
  • Log in as Administrator to Office 365.

Selecting Office 365 admin center

  • In the new screen that opens, a list of Microsoft Office 365 accounts appears. The accounts are organized in a table with three columns: Display Name, User Name and Multi-Factor Auth Status. As you can see on the screenshot below, by default the MFA status is “Disabled” for all accounts. Let’s enable MFA for one user.

Enabling multi-factor authentication in Office 365

If your users do not regularly sign in through the browser, you can send them to this link to register for multi-factor auth: https://aka.ms/MFASetup

How to enable MFA in Office 365

Note that the step-by-step guide below describes the actions taken by the user, not by the admin who has configured MFA.

  • Open the security verification page by using the link https://aka.ms/MFASetup (that you saved earlier).
  • Provide the correct information in a few steps.

Step 1: How should we contact you?

In the drop-down menu you can select:

  • Authentication phone

Let’s select Authentication phone. You have to enter a valid cell phone number and select the second authentication method:

  • Send me a code by text message

If you select to send a code by text message (SMS) or by calling you, you may be charged according to your mobile operator rates. Let’s select the first option ( Send me a code by text message ). Hit Next .

Additional security verification in Office 365

Wait for a few seconds.

Step 2: We’ve sent a text message to your phone

Entering a confirmation code sent via SMS

  • If verification is successful, hit Done , and you will be redirected to the Office 365 login page. A verification code will now be sent to your cell phone via SMS.

NOTE : If you selected the Call me option, usually you should answer the call and press the # sign.

Entering a verification code sent via SMS to sign in Office 365

Now Office 365 multi-factor authentication is configured and you can use it each time after entering your username and password. You are redirected to the page with additional security verification options where you can modify the settings. Don’t forget to take your phone and don’t lose your phone to be able to pass Office 365 authentication successfully.

Office 365 additional security verification options

Multi-factor authentication and Office 365 app passwords are additional security options for authentication. Multi-factor authentication improves security but takes additional steps to authenticate. Use MFA when you are not sure that using a username/password pair is enough for you in terms of security. You can generate Office 365 app passwords if for some reason you don’t trust the classic username/password authentication method and if native multi-factor authentication methods cannot be applied in your situation.

However, even if your security configuration is strict, having a backup is always a good idea. Consider using a dedicated Microsoft 365 backup software to protect your data and ensure point-in-time restores.

1 Year of Free Data Protection: NAKIVO Backup & Replication

1 Year of Free Data Protection: NAKIVO Backup & Replication

Deploy in 2 minutes and protect virtual, cloud, physical and SaaS data. Backup, replication, instant recovery options.

People also read

Picture

  • Microsoft account overview
  • Can't sign in
  • Change known password
  • Reset forgotten password
  • Can't recover an account
  • 1. Lookup username
  • 2. Check products and services
  • 3. Check if account is closed
  • Keep your account secure
  • Security info and codes
  • Troubleshoot verification codes
  • Security info pending
  • Microsoft Authenticator app
  • 2-step authentication
  • Go passwordless
  • App passwords
  • Account is locked
  • Recover a hacked account
  • Emails from Microsoft
  • Microsoft texts
  • Recent activity page
  • Unusual sign in activity
  • Close an account
  • Reopen your Microsoft account
  • Change the email address or phone number
  • Add an email address or phone number
  • Combining Microsoft accounts
  • Link your Google account
  • What is a Microsoft account
  • How to sign in to a Microsoft account
  • Create a new Microsoft account
  • Change your name or address
  • Change your birthdate
  • Change your picture

mfa app password not working

Using app passwords with apps that don't support two-step verification

After you  turn on two-step verification  or set up the Authenticator app , you may run into issues if you use apps or older devices (like Windows Phone 8 and Xbox 360) that don't support two-step verification.

If you have two-step verification turned on and an app isn't prompting you to enter a security code when you sign in, you may be able to sign in with an app password instead. An app password is a long, randomly generated password that you provide only once instead of your regular password when signing in to an app or device that doesn't support two-step verification.

You only need to create an app password if you have two-step verification turned on and are using an app that doesn't support it.

Note:  If you forgot your password, are having trouble resetting your password, can't find your security code, or have other problems signing into your account, see  When you can't sign in to your Microsoft account .

Tip:  If you're a small business owner looking for more information on how to get Microsoft 365 set up, visit Small business help & learning .

How to create a new app password

To create a new app password for an app or device, take the following steps. You can repeat these steps to create an app password for as many apps or devices as you need.

Go to the Security basics  page and sign in to your Microsoft account.

Select More security options . 

Under App passwords , select Create a new app password . A new app password is generated and appears on your screen.

Enter this app password where you would enter your normal Microsoft account password in the application.

Note:  Once you have created and entered an app password for a given app or device, you usually won't need to do it again.

Sign-in methods for apps and devices

Some apps or devices require a slightly different method of signing in. The most common ones are listed here. Click on the one that applies to you, and it'll open to display more info:

 Xbox 360 console

When you turn on two-step verification, you'll be prompted to enter your Microsoft account password the next time you download your Xbox profile or sign in to the Xbox console. Follow these steps:

Visit your Security basics page online to get an app password.

Enter the app password on your Xbox 360 instead of the password for your Microsoft account.

If you don't want to reenter an app password each time you sign in to this console, select the Remember me check box. 

Select Sign In .

 Outlook desktop app for Office 2010 or earlier

If you already sync your Outlook.com email with the Outlook desktop app for Office 2010 or earlier, follow these steps:

In the Outlook desktop app, click File .

Under Info , click Account Settings .

Double-click the Microsoft account you turned on two-step verification for.

In the dialog box shown by the Outlook desktop app, enter the app password in the Password box.

If you don't want to reenter an app password each time you use the Outlook desktop app, select the Remember password check box, and then click OK .

If you want to add your Microsoft account to the Outlook desktop app for Office 2010 or earlier, follow these steps:

Under Info , click Add Account .

Enter your name in the Your Name box. In the Email Address box, enter the email address for your Microsoft account.

In the Password and Retype Password boxes, enter the app password instead of your Microsoft account password, and then click Next .

 Default email app on an Android phone

If you're using the default mail app on your Android phone, follow these steps.

Open the mail app on your phone.

Tap Menu , and then tap Settings .

Tap your Microsoft account.

Tap Incoming settings (under Server settings).

Visit your Security basics online to get an app password.

Replace the password on your phone with the app password.

Note:  If you’re using the Outlook.com email app on your Android phone, you're all set—you don't need an app password.

 Outlook.com email on a BlackBerry phone

If you’re using the Outlook.com email app on your BlackBerry phone, follow these steps:

On your phone, go to Setup , and then choose Email accounts .

On your phone, replace the password for your Microsoft account with the app password.

 Saving files to the web with Office 2010

If you want to save Office 2010 files to the web, you'll need to sign in with an app password. The steps are slightly different, depending on which Microsoft 365 app you're using.

To sync OneNote online, follow these steps:

In OneNote, click File .

Under Info , click Settings , and then click Sync .

A sign-in dialog box appears, prompting you to enter your Microsoft account password.

In the Email address box, enter the email address for your Microsoft account.

Enter the app password in the Password box.

If you don't want to reenter an app password each time you sign in, select the Sign me in automatically check box, and then click OK .

Word, Excel, or PowerPoint

To save a Word, Excel, or PowerPoint file to the web, follow these steps:

Click File , click Save & Send , and then click Save to Web .

Click Sign In .

 Saving files to the web with Office for Mac 2011

You can sign in to OneNote with your Microsoft account password. If you're using other Microsoft 365 apps, you'll see slightly different messages.

If Outlook prompts you to reenter your password:

Click Yes .

Enter the app password instead of the password for your Microsoft account.

If Word, Excel, or PowerPoint prompts you to enter your Microsoft account password:

Enter your Microsoft account email address.

Visit your Security basics  page online to get an app password.

If you don't want to reenter an app password each time you sign in to a Microsoft 365 app, select the Save password in my Mac OS keychain check box.

Facebook

Need more help?

Want more options.

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

mfa app password not working

Microsoft 365 subscription benefits

mfa app password not working

Microsoft 365 training

mfa app password not working

Microsoft security

mfa app password not working

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

mfa app password not working

Ask the Microsoft Community

mfa app password not working

Microsoft Tech Community

mfa app password not working

Windows Insiders

Microsoft 365 Insiders

Was this information helpful?

Thank you for your feedback.

  • Microsoft Power Automate Community
  • Welcome to the Community!
  • News & Announcements
  • Get Help with Power Automate
  • General Power Automate Discussion
  • Using Connectors
  • Building Flows
  • Using Flows
  • Power Automate Desktop
  • Process Mining
  • Power Automate Mobile App
  • Translation Quality Feedback
  • Connector Development
  • Power Platform Integration - Better Together!
  • Power Platform Integrations
  • Power Platform and Dynamics 365 Integrations
  • Community Connections & How-To Videos
  • Webinars and Video Gallery
  • Power Automate Cookbook
  • 2021 MSBizAppsSummit Gallery
  • 2020 MSBizAppsSummit Gallery
  • 2019 MSBizAppsSummit Gallery
  • Community Engagement
  • Community AMA
  • Community Blog
  • Power Automate Community Blog
  • Community Support
  • Community Accounts & Registration
  • Using the Community
  • Community Feedback

MFA Authentication or APP Passwords

  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Printer Friendly Page
  • All forum topics
  • Previous Topic

bkk

  • Mark as New
  • Report Inappropriate Content

Solved! Go to Solution.

  • Power Automate Admin Issue
  • SharePoint connector

eric-cheng

View solution in original post

mfa app password not working

Helpful resources

Check Out the February 2024 Dynamics 365 Newsletter

Check Out the February 2024 Dynamics 365 Newsletter

Some of our most active Power Platform Community members are also active in our D365 Community. This month, we are excited to share the latest news from the D365 Community with you.   Our Dynamics365 Community has updated yet again! Since launching in June of 2023, the new Community has seen consistent updates and exciting new ways to feature and celebrate its members. In the latest edition of the Dynamics365 Community newsletter, you can see the new Leaderboard feature! This feature showcases which Community members have earned the most points over the previous month, enabling them to see how they are doing with their engagement--and their progress toward Super User status. Visit the leaderboard for yourself: https://aka.ms/d365clb     Read the whole newsletter featuring the new leaderboard as well as the D365 Monthly Community Member spotlight, FastTrack Tech Talks, upcoming events, and more. February 2024 Dynamics 365 Community Newsletter

Celebrating a New Season of Super Users with Charles Lamanna, CVP Microsoft Business Applications

Celebrating a New Season of Super Users with Charles Lamanna, CVP Microsoft Business Applications

February 8 was the kickoff to the 2024 Season One Super User program for Power Platform Communities, and we are thrilled to welcome back so many returning Super Users--as well as so many brand new Super Users who started their journey last fall. Our Community Super Users are the true heroes, answering questions, providing solutions, filtering spam, and so much more. The impact they make on the Communities each day is significant, and we wanted to do something special to welcome them at our first kickoff meeting of the year.   Charles Lamanna, Microsoft CVP of Business Applications, has stressed frequently how valuable our Community is to the growth and potential of Power Platform, and we are honored to share this message from him to our 2024 Season One Super Users--as well as anyone who might be interested in joining this elite group of Community members.     If you want to know more about Super Users, check out these posts for more information today:    Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

February 2024 User Group Update: Welcoming New Groups and Highlighting Upcoming Events

February 2024 User Group Update: Welcoming New Groups and Highlighting Upcoming Events

It's a new month and a brand-new year, which means another opportunity to celebrate our amazing User Groups!Each month, we highlight the new User Groups that have joined the community. It's been a busy season for new groups, because we are thrilled to welcome 15 New User Groups! Take a look at the list below, shared by the different community categories. If your group is listed here, give this post a kudo so we can celebrate with you!   We love our User Groups and the difference they make in the lives of our Community! Thank you to all the new User Groups, new User Group leaders--we look forward to hearing about your successes and the impact you will leave!   In addition to our monthly User Group spotlight, it's a great time to share some of the latest events happening in our User Group community! Take a look at the list below to find one that fits your schedule and need! There's a great combination of in-person and virtual events to choose from. Also, don't forget to review the many events happening near you or virtually! It's a great time of year to connect and engage with User Groups both locally and online. Please Welcome Our NEW User Groups   Power Platform: Heathcare Power Platform User Group Power Platform Connect Hub Power Platform Usergroup Denmark Mexico Norte- Power Platform User Group Pune Power User Group Sudbury Power Platform User GroupMicrosoft User Group GhanaMPPBLR - Microsoft Power Platform Bengaluru User Group Power Apps:   Myrtle Beach Power Platform User GroupAnanseTechWB PowerApps Copilot Studio: Pathfinders Power Platform Community Dynamics365: Cairo, Egypt MSD 365 Business Central/NAV/F&O User GruopMS Dynamics 365 Business Central LatamCincinnati OH D365 F&O User Group February User Group Events February 2024 Cleveland Power Platform User GroupPortallunsj - Februar 2024Indiana D365/AX February User Group MeetingQ1 2024 KC Power Platform and Dynamics 365 CRM Users Group 

January 2024 Community Newsletter

January 2024 Community Newsletter

Welcome to our January Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members. If you're new to the Community, please make sure to follow the latest News & Announcements in each Community and check out the Community on LinkedIn as well! It's the best way to stay up-to-date in 2024 with all the news from across Microsoft Power Platform and beyond.      COMMUNITY HIGHLIGHTS Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, giving (and receiving!) kudos, and consistently providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, make it your New Year's Resolution to be more active in the community in 2024.   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzWarrenBelzPstork1saudali_25LaurensMPstork1stephenrobertLucas001AARON_ClbendincpaytonSurendran_RANBNived_NambiarMariamPaulachanNikhil2JmanriqueriosANBJupyter123rodger-stmmbr1606Agniusstevesmith27mandelaPhineastrice602AnnaMoyalanOOlashynBCLS776grantjenkinsExpiscornovusJcookSpongYeAARON_CManishSolankiapangelesPstork1ManishSolankiSanju1Fubar   LATEST NEWS Power Platform 2024 Release Wave Highlights This month saw the 2024 Release Wave 1 plans for Microsoft Power Platform and Microsoft Dynamics 365- a compilation of new capabilities planned for release between April and September 2024. Click here to read Corporate Vice President Maureen (Mo) Osborne's detailed breakdown of the upcoming capabilities, and click the image below to check out some of the Power Platform 2024 Release Wave 1 highlights.     "What's New" Power Platform Shorts Series This month we also launched our brand-new 'Power Shorts' series on YouTube - a selection of super sweet snapshots to keep you in the loop with all the latest trends from across the Power Platform and beyond. Click the image below to check out the entire playlist so far, and don't forget to subscribe to our YouTube channel for all the latest updates.   Super User In Training (S.U.I.T) It was great to see the Power Platform Community officially kick off Season One of their Super User in Training (SUIT) program this month! Their first meeting saw an amazing turnout of over 300 enthusiastic participants who started their dynamic journey toward becoming Super Users. Huge thanks to Manas Maheshwari, Eric Archer, Heather Hernandez, and Duane Montague for a fantastic kick-off. The first meeting also saw seasoned Super User, Drew Poggemann, share invaluable insights on navigating the #MicrosoftCommunity with finesse. Many thanks to Drew for setting the stage and emphasizing the importance of active engagement and the art of providing thoughtful community solutions. If you want to learn more about the features and benefits of gaining Super User status, click the image below to find out more, and watch this space for more info about Season Two and how you can SUIT UP in the community!     UPCOMING EVENTS Microsoft 365 Community Day - Miami - February 1-2, 2024 It's not long now until the Microsoft 365 Community Day Miami, which will be taking place at the Wolfson Campus at Miami Dade College on 1-2 Feb. 2024. This free event is all about unlocking the full potential of Power Platform, Microsoft 365, and AI, so whether you’re a tech enthusiast, a business owner, or just curious about the latest Microsoft advancements, #M365Miami is for you.   The event is completely free and there will sessions in both English and Spanish to celebrate the vibrant and diverse make-up of our amazing community. Click the image below to join this amazing Community Day in Miami and become a part of our incredible network of learners and innovators!     Microsoft Fabric - Las Vegas - March 26-28, 2024 Exciting times ahead for the inaugural #MicrosoftFabric Community Conference on March 26-28 at the MGM Grand in Las Vegas. And if you book now, you can save $100 off registration! The Microsoft Fabric Conference will cover all the latest in analytics, AI, databases, and governance across 150+ sessions.   There will be a special Community Lounge onsite, interactive learning labs, plus you'll be able to 'Ask the Experts' all your questions to get help from data, analytics, and AI specialists, including community members and the Fabric Customer Advisory Team. Just add the code MSCUST when registering for a $100 discount today. Click the image below to find out more about the ultimate learning event for Microsoft Fabric!     Microsoft 365 Conference - Orlando - April 30 - May 2, 2024 Have you added The Microsoft 365 Conference to your community calendar yet? It happens this April 30th - May 2nd in Orlando, Florida. The 2024 Microsoft 365 Conference is one of the world’s largest gatherings of Microsoft engineers and community, with a strong focus on Power Platform, SharePoint, Azure, and the transition to an AI-powered modern workplace.   Click the image link below to find out more and be prepared to be enlightened, educated, and inspired at #M365Conf24!   LATEST COMMUNITY BLOG ARTICLES Power Apps Community Blog Power Automate Community Blog Copilot Studio Community Blog Power Pages Community Blog Check out 'Using the Community' for more helpful tips and information: Power Apps, Power Automate, Copilot Studio, Power Pages  

Super Users 2024 Season One is Here!

Super Users 2024 Season One is Here!

   We are excited to announce the first season of our 2024 Super Users is here! Our kickoff to the new year welcomes many returning Super Users and several new faces, and it's always exciting to see the impact these incredible individuals will have on the Community in 2024! We are so grateful for the daily difference they make in the Community already and know they will keep staying engaged and excited for all that will happen this year.   How to Spot a Super User in the Community:Have you ever written a post or asked for help in the Community and had it answered by a user with the Super User icon next to their name? It means you have found the actual, real-life superheroes of the Power Platform Community! Super Users are our heroes because of the way they consistently make a difference in the Community. Our amazing Super Users help keep the Community a safe place by flagging spam and letting the Community Managers know about issues. They also make the Community a great place to find answers, because they are often the first to offer solutions and get clarity on questions. Finally, Super Users share valuable insights on ways to keep the Community growing, engaging, and looking ahead!We are honored to reveal the new badges for this season of Super Users! Congratulations to all the new and returning Super Users!     To better answer the question "What is a Super User?" please check out this article: Power Apps: What is A Super User? - Power Platform CommunityPower Automate: What is A Super User? - Power Platform Community Copilot Studio: What is A Super User? - Power Platform Community Power Pages: What is A Super User? - Power Platform Community

Did You Attend the Microsoft Power Platform Conference in 2022 or 2023? Claim Your Badge Today!

Did You Attend the Microsoft Power Platform Conference in 2022 or 2023? Claim Your Badge Today!

If you were one of the thousands of people who joined us at the first #MPPC Microsoft Power Platform Conference in 2022 in Orlando--or attended the second-annual conference in Las Vegas in 2023--we are excited to honor you with a special community badge! Show your support for #MPPC Microsoft Power Platform Conference this year by claiming your badge!           Just follow this link to claim your badge for attending #MPPC in 2022 and/or 2023: MPPCBadgeRequest    Want to earn your badge for 2024? Just keep watching our News & Announcements for the latest updates on #MPPC24.

takolota

Troubleshoot Multi-Factor Authentication Issues

Troubleshoot

Get Support

  • Check API Calls
  • Check Login and Logout Issues
  • Check User Profiles
  • Troubleshoot Role-Based Access Control and Authorization
  • Troubleshoot SAML Configurations
  • Troubleshoot SAML Errors
  • Self Change Password Errors
  • Troubleshoot Authorization Extension
  • Troubleshoot Renew Tokens When Using Safari
  • Debugging Best Practices
  • Error Handling Best Practices
  • Performance Best Practices
  • General Usage and Operations Best Practices

Auth0 Product Lifecycle

User issues

If you do not have your mobile device or your mobile device is turned off.

If you have lost your device, you can finish authentication using the recovery code provided when you first signed up.

Enter your email and password to log in, and click the Use the recovery code link.

Enter your recovery code.

If you no longer have your recovery code, you will not be able to log in. Contact your system administrator for help accessing your account.

If you forget your password

If you have forgotten your password, click the Don't remember your password? link located underneath the email and password fields. Then, enter your email address to receive an email containing a link you can use to reset your password.

If your transaction expires

If more than five minutes have elapsed, you will need to log in again and obtain a new code or notification.

If you are requesting SMS messages, make sure you are not exceeding rate limits.

If you need to remove or delete MFA from a user in your tenant

If you need to remove, delete, or reset MFA for a user, you should reset MFA .

SMS-related issues

If you did not receive an sms message.

If you did not receive your six-digit code via SMS, check that the phone number you provided is correct. If it is, make sure you have a cellular signal.

If you still are not receiving the messages, check with your service provider to confirm that messages are not getting blocked.

SMS message rate limits

If you attempt to send more than ten SMS messages to your device within one hour, you will see an error message about a rate limit exception.

When you exceed your messaging limit, you'll need to wait at least an hour after your request for your first message before requesting another. You will receive an additional attempt after the passage of each additional hour.

Rejected codes

If the 6-digit code in the Guardian or the Google Authenticator app is being rejected for sign in (often with the message Incorrect Code ), first check that you are selecting the right application from the list in your authenticator app. If you've verified that you're selecting the correct application, make sure that your mobile device's clock settings are correct. One-time passwords are generated using Coordinated Universal Time (UTC), so your device's time must be correct for your code to work.

To check your clock settings:

Android Devices - Go to Settings > Date & Time . Make sure that the box next to Automatic is checked. To turn it off, go to Settings > Date & Time . Tap the box next to Automatic to un-check it.

iOS Devices - Go to Settings > General > Date & Time . Enable Set Automatically . If this setting was already enabled, you can disable it for a moment, then re-enable.

Duo-related issues

For questions or issues specifically regarding Duo, see Duo's documentation .

Was this article helpful?

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Cupid Chan

Office365 MFA app password not working with MacOS Apple Mail

I actually encountered this problem myself and found a way to solve it. However, the original thread has been closed without proper answer. Hence I want to document for people who has this same issue.

In order to use the App Password by Office 365 in MacOS Mail, do NOT pick "Sign In" to your Exchange account. Choose " Configure Manually ". Then, use your App Password instead of the regular account password in the pop up. Then you should be able to sign in with no problem.

Posted on Jan 12, 2021 3:43 AM

Similar questions

  • App-specific passwords not working For two months, I have been trying to get App-specific passwords to work. I managed to authorize Spark on my iPhone, but no desktop apps are being authorized. This is particularly infuriating because I'm trying to find a new mail app for my MacBook Pro, since back in September of 2019, when Mail stopped being able to send mail through my iCloud account. So far, I've tried creating, copy-pasting the app-specific password into he app. Failed. Deleted the password. Generate a new one. Failed. Kept a copy of the password, tried a day later. Failed. Tried a week later. Failed. Generated a fresh password. Waited an hour. Failed. There isn't much documentation and everything seems like it should be straight forward, but I'm about to give up and go back to Gmail. 1437 3
  • Can't update password after "exchange password required" message Regularly my 2017 Macbook Pro 15 (big sur 11.4) will stop syncing contacts with Office 365 and eventually tell me "exchange password required". I only sync contacts and the main reason is to make Messages and FaceTime easier to use. It makes sense to me that if it doesn't like my password that sync is going to stop. I can not find any way to enter/update my password and MFA. I can get syncing going again by removing/adding the account but that process is slow to complete and generally not desirable. Any ideas? 274 5
  • Outlook 365 is asking me to set up an app specific password every time I use it. Is there a way around that? I have 2 factor authentication turned on and cannot turn it back off. Outlook 365 is asking me to set up an app specific password to get my email from my mac ID email every time I use it. I can't send or receive email from that account without signing in to my apple ID. Plus there is a perpetual banner on my phone to please sign in to my apple ID in order to use Office 365/Outlook. Is there a way around this problem? 389 1

Loading page content

Page content loaded

There are no replies.

mfa app password not working

Check out Spiceworks Webinar: Follow the Right Path to a Smart Factory Opens a new window [Live Now]

IOS Mail app with O365 MFA

Does anyone know if there is there a way to use IOS Mail with an MFA-enabled O365 account other than by generating app passwords? 

Although I have configured Outlook on all of my users' devices, a depressing number of them insist on using iOS mail, and supporting it is a giant pain in my rear, and it would make things a lot easier if it would work with MFA the way Outlook does.

I've read some stuff online implying IOS mail can be made to work with O365 MFA, but I can never get it to work when I try to test it-- IOS Mail always wants an app password.

Would appreciate any guidance on whether IOS Mail +MFA is possible, and if so, how to set it up.. Thanks!

User: Joseph Moran

Joseph9460 wrote: Juanoflo wrote: I feel your pain.  I am sorry you have to go through that.  I was lucky enough to convince the company president that turning off Activesync and using the Outlook App for company email is the best solution for security and manageability.  So all my users use the Company Portal and Outlook as their company email client exclusively.

To be honest, I've been considering lobbying for an Outlook-only approach myself. I see no reason to use the native iOS apps when Outlook does the work of three of them plus is more secure and easier to administer.

But since you've already done this, may I ask if there were any practical downsides or pain points as a result of making the switch, other than people complaining about not being able to use the apps they were accustomed to?  

That's it.  Nothing else.  I just had to teach the users to select Outlook when they want to share a picture via email.  The only caveat we found is that Contact syncing is one way (Outlook to Phone Contacts) so users will need to add and make changed is outlook in order for them to sync to the local device; but it works both ways on Android.

Author Jordan L

can I ask, why are you against app passwords?  the functionality is already built-in place and its a 30-second task of obtaining an app password and then saving the credentials on the phone.

Author Joseph Moran

justgoogleit wrote: can I ask, why are you against app passwords?  the functionality is already built-in place and its a 30-second task of obtaining an app password and then saving the credentials on the phone.

I feel your pain.  I am sorry you have to go through that.  I was lucky enough to convince the company president that turning off Activesync and using the Outlook App for company email is the best solution for security and manageability.  So all my users use the Company Portal and Outlook as their company email client exclusively.

Juanoflo wrote: I feel your pain.  I am sorry you have to go through that.  I was lucky enough to convince the company president that turning off Activesync and using the Outlook App for company email is the best solution for security and manageability.  So all my users use the Company Portal and Outlook as their company email client exclusively.

Author Adam H

We've gone the Outlook only route. Well, technically, it's a modern auth route, but we only support Outlook.

Author Kristi Baer

It looks like Modern Authentication is going to be required for O365 going forward beginning in October 2020.  You may want to take a look at this thread:   https://community.spiceworks.com/topic/2259787-office-365-admins-beware-microsoft-gives-heads-up-for-disruptive-changes?source=recommended

Author Matt Cavallin

We also went the Outlook app route on IOS and Android devices.

Well, the consensus seems to be for going Outlook-only, so I am going to plan on doing that. 

Thanks to all who responded.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question .

Read these next...

Curated Network cameras via POE switch or directly to NVR?

Network cameras via POE switch or directly to NVR?

Hello. It would be interesting to know what are the pros and cons connecting network cameras via POe switch vs. connecting them directly to the NVR? By the first method, only POE switch will connect to the NVR, and in theory, it should be able to see all ...

Curated Dear SpiceRex: Personalization versus Privacy

Dear SpiceRex: Personalization versus Privacy

In this series, we take questions that may be difficult for you to bring up in public and ask the Spiceworks Community on your behalf to give you the anonymity you want to find the answers you need. Interested? Send an email to [email protected]...

Curated Spark! Pro series - 22nd February 2024

Spark! Pro series - 22nd February 2024

Today in History: 1980 U.S. hockey team beats the Soviets in the “Miracle on Ice” In one of the most dramatic upsets in Olympic history, on February 22, 1980, the underdog U.S. hockey team, made up of college players, defeats the four-time defe...

Curated Disable MFA for 1 user on one windows 10 computer.

Disable MFA for 1 user on one windows 10 computer.

Hi I have a user that is sometimes in a place where phone or fob or any other mfa azure managed device is allowed.The device is secured away and remote access to it is disabled.I dont want to disable MFA for that user on all devices just one of the device...

Curated Snap! -- Moon Landing Tomorrow, Overhearing Fingerprints, Million-Movie Discs

Snap! -- Moon Landing Tomorrow, Overhearing Fingerprints, Million-Movie Discs

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: February 21, 1986: The Legend of Zelda for the NES was first released. (Read more HERE.) Security News: • Redis Servers Targeted With New ‘Migo’ Malware (Read more...

  • Generative AI
  • Business Operations
  • IT Leadership
  • Application Security
  • Business Continuity
  • Cloud Security
  • Critical Infrastructure
  • Identity and Access Management
  • Network Security
  • Physical Security
  • Risk Management
  • Security Infrastructure
  • Vulnerabilities
  • Software Development
  • Artificial Intelligence
  • United States
  • United Kingdom
  • Newsletters
  • Foundry Careers
  • Terms of Service
  • Privacy Policy
  • Cookie Policy
  • Member Preferences
  • About AdChoices
  • E-commerce Links
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World
  • Enterprise Buyer’s Guides

sbradley

How to proactively prevent password-spray attacks on legacy email accounts

Hacker group Midnight Blizzard utilized password spray attacks that successfully compromised legacy Microsoft emails. Here’s how to reinforce your defenses against these intrusions.

email security key on keyboard

Microsoft recently released a security news update that addresses chilling reports that attackers have been able to pivot from a test tenant to the C suite to obtain access to emails being sent and received. In addition, it came to light that HPE’s corporate mailboxes had been accessed using a similar exploit.

Both appear to be related to a password spray attack against legacy email accounts that did not have multifactor authentication enabled. Let’s break down Microsoft’s post and how we can proactively prevent such attacks in our own organization.

Microsoft indicated that: “Midnight Blizzard [a Russian state-sponsored actor also known as NOBELIUM] utilized password spray attacks that successfully compromised a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled. In a password-spray attack, the adversary attempts to sign into a large volume of accounts using a small subset of the most popular or most likely passwords.”

Make sure multifactor authentication is enabled

One lesson to be learned from this is to ensure that multifactor authentication (MFA) is enabled on everything and review processes used for test accounts that have access to your main production Microsoft 365 tenant. These days, MFA should be mandatory for any cloud service — don’t rely on just a password to protect any cloud asset.

If your user base objects to MFA implementations, there are ways to make it more palatable. With the use of conditional access, you can configure it such that MFA is not mandated from a trusted location. But don’t get too complacent; if attackers gain access to a trusted location, conditional access/whitelisting an IP address to ensure your executives are not annoyed with an MFA prompt may not be the way to go. Depending on the risk tolerance of your user base, you may decide that this policy is not wise.

Microsoft indicated that the attacks came from IP addresses that didn’t appear harmful. “The threat actor further reduced the likelihood of discovery by launching these attacks from a distributed residential proxy infrastructure,” according to the update. “These evasion techniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.”

Thus, normal defenses would have not flagged them as having come from risky locations. You may wish to consider installing static IP addresses in home settings for those individuals in your organization most likely to be targeted by attackers. The use of a static IP address means that you can identify and protect these accesses better than mere residential home IP addresses that may change over time.

Pay attention to the location from which users log on

Often with an ISP it’s hard to determine the exact location from which a user is logging in. If they access from a cellphone, often that geographic IP address is in a major city many miles away from your location. In that case, you may wish to set up additional infrastructure to relay their access through a tunnel that is better protected and able to be examined. Don’t assume the bad guys will use a malicious IP address to announce they have arrived at your door.

According to Microsoft, “Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications.”

The attackers then created a new user account to grant consent in the Microsoft corporate environment to the actor-controlled malicious OAuth applications. “The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online  full_access_as_app   role, which allows access to mailboxes.”

This is where my concern pivots from Microsoft’s inability to proactively protect its processes to the larger issue of our collective vulnerability in cloud implementations. Authentication has moved away from the traditional username and password to application-based authentication that is more persistent. In addition, we often don’t understand what we are setting up in a cloud environment and accidentally leave permissions in such a state as to make it easier for the attackers to gain a foothold.

Configuring permissions to keep control of access parameters

Any user can create an app registration and then consent to graph permissions as well as share any corporate data. You need to set up your tenant to require an application administrator or cloud-application administrator to grant a user the right to add such a third-party OAuth-based app to the tenant rather than allowing users to be self-service.

This is especially the case in an organization that manages sensitive information of any kind — all apps that are added to the Microsoft 365 tenant should be manually approved by an authorization process.  In the Microsoft 365 Admin Center select Settings, then Org Settings, scroll down to User Consent to Apps.

Uncheck the box that allows users to provide consent when apps request access to your organization’s data on their behalf. You want to vet applications before they get deployed to your users. The approach for the cloud is no different.

mfa app password not working

Susan Bradley

Next go to Entra.microsoft.com in Application Settings and look for App Registrations. Ensure you have identified and recognized the applications listed. Don’t panic if you see a P2PServer listed, it’s a placeholder of the first AD joined machine. But vet and investigate any other application.

mfa app password not working

Next, go into User Settings and disable those that allow users to register their own applications:

“Named Users can register applications” should be: No.

“Restrict non-admin users from creating tenants” should be: Yes.

“Users can create security groups” should be: No.

“Restrict access to the Microsoft Entra admin center” should be: Yes.

You do want users to submit admin consent requests when setting up such an application. Test the approval process to ensure that the administrator you intend gets the prompt and vets the approval accordingly.

Be sure that any administrative user does not sign in from a personal device. Ensure you always use a dedicated secured device for administrative work and no other device.

Cloud applications can grant potentially dangerous rights to users

We have encouraged and used cloud applications to make our lives easier but they have also introduced potentially dangerous rights. Another such role that may be abused in the AppRoleAssignment.ReadWrite.All MS Graph app role that bypasses the consent process. This was by design and was meant for its implementation. As a result, this app role is dangerous if you don’t understand the implications.

Too often our developers and implementers have read a blog post or used a recommendation without truly understanding the risks. Often, we don’t go back and audit how our cloud implementations are working, nor do we keep a constant review of the changing defaults and introduction of new security defaults and features.

In light of this situation, you’ll want to go back and review if you have specifically assigned the AppRoleAssigment.ReadWrite.All that inadvertently gave higher privileges than you intended. A better way to implement application permissions is to avoid using this role and instead use Consent Policy .

The bottom line is: don’t just deploy new cloud technologies without looking for cloud-hardening guidance as well. Review the recommendations by CIS benchmarks , and other vendors that provide Azure hardening advice. Don’t just take the defaults provided by the vendor, clouds need hardening too — they are not secure by default.

Related content

Check point unveils ai-powered quantum force firewalls, identity hacking saw sharp rise 2023, biden's maritime cybersecurity actions target china threats, critical infrastructure attacks aren't all the same: why it matters to cisos, from our editors straight to your inbox.

sbradley

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author

How to protect against bitlocker-bypassing vulnerabilities in windows recovery partitions, protecting windows networks: get back to basics for the new year, microsoft windows 10 security support extension no excuse to put off patching, asset review, most popular authors.

mfa app password not working

  • Cynthia Brumfield Contributing Writer

mfa app password not working

Show me more

Critical connectwise screenconnect flaw exploited in the wild.

Image

Hackers using stolen credentials to launch attacks as info-stealing peaks

Image

Is hybrid encryption the answer to post-quantum security?

Image

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

Image

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Image

CSO Executive Sessions Australia with Robbie Whittome, CISO at Curtin University

Image

Reaping the Benefits of Security Metrics

Image

Don’t Lose Your Focus: It’s Not About the AI; It’s About the Data

Image

Sponsored Links

  • Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.
  • Want to justify your IT investments faster? IDC reports on how to measure business impact.
  • Read this IDC spotlight to learn what commonly prevents value realization – and how to solve it

mfa app password not working

Top Contributors in Subscription, account, billing: NoOneCan  -  Dillon Silzer  -  RonBarker  -  VincentChoy   ✅

February 13, 2024

Top Contributors in Subscription, account, billing:

NoOneCan  -  Dillon Silzer  -  RonBarker  -  VincentChoy   ✅

  • Search the community and support articles
  • Microsoft 365 and Office
  • Subscription, account, billing
  • Search Community member

Ask a new question

Turning off App Passwords in Multi-Factor Authentication

I've seen this asked several times before but have not seen an adequate response.

I'm trying to enable multi-factor authentication in Office 365, but when I do it not only asks for the SMS phone message code, it asks for the app password -- which is different than the domain user password my users have been familiar with for many years. The password window that pops up shows no indication that it is asking for a completely new password -- it looks just like the old domain user popup.

This is very confusing for my users. What I want is to require two factors: the domain password and the SMS code. Not this bizarre third password, which is impossible to remember and apparently impossible to recover or regenerate.

I have changed the service setting from "Allow users to create app passwords to sign in to non-browser apps" to "Do not allow users to create app passwords to sign in to non-browser apps", which is very confusing wording.

After I do so, a user with MFA is prompted for the SMS code, and is NOT shown a system-generated app password. But one is still required by at least some desktop apps! For instance, I'm trialing this feature now, but I cannot sign into Skype for Business desktop app no matter what, because it's asking for a password which I do not and cannot have. My regular domain password does not work, and I DO NOT HAVE AN APP PASSWORD.

OneDrive signs me in after an SMS code, but desktop Outlook is refusing to sign me in at all -- my regular domain password does not work, as it did before, and I DO NOT HAVE AN APP PASSWORD.  This is an impossible system to roll out to users, where one is required to use a brand new mystery password which is never revealed.

Report abuse

Dude, after you configure it for "do not allow the user to create app passwords" then it will no longer create an app password for the user. 

If you are using apps that are not compatible with MFA, then you have to leave it set to allow users to create app passwords and use those. It sucks and kind of defeats the purpose of MFA, but that's how it is right now.

7 people found this reply helpful

Was this reply helpful? Yes No

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

Thanks for your feedback.

Replies (8) 

Question info.

  • Norsk Bokmål
  • Ελληνικά
  • Русский
  • עברית
  • العربية
  • ไทย
  • 한국어
  • 中文(简体)
  • 中文(繁體)
  • 日本語

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

If Modern Authentication is forced, are app passwords still working?

Microsoft announced that with Modern Authentication starting from October 1st 2022 basic authentication will be disabled. https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

But when reading articles about app passwords, it seems to me that they are still supported. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords https://support.microsoft.com/en-us/account-billing/using-app-passwords-with-apps-that-don-t-support-two-step-verification-5896ed9b-4263-e681-128a-a6f2979a7944 I also could not find any document saying that app passwords are deprecated with October 1st.

But because app passwords use basic authentication I am not sure whether they will still work or not.

Microsoft Entra ID A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory. 18,600 questions Sign in to follow

Hi @Gunter Reinitzer , Just checking in to see how things are going on with this thread. If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well. If you still have further questions or concerns, feel free to post back.

Once Basic auth is deprecated, app passwords will no longer work, as detailed here: https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

The deprecation of basic authentication will also prevent the use of app passwords with apps that don't support two-step verification.

@Gunter Reinitzer I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Please remember to " Accept Answer " if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Basic auth is deprecated, but App Passwords still work.

I just created an App Password and used in in 3d party email client.

0 additional answers

SaaS Security

4 Ways Hackers use Social Engineering to Bypass MFA

Social Engineering

When it comes to access security, one recommendation stands out above the rest: multi-factor authentication (MFA). With passwords alone being simple work for hackers, MFA provides an essential layer of protection against breaches. However, it's important to remember that MFA isn't foolproof. It can be bypassed, and it often is.

If a password is compromised, there are several options available to hackers looking to circumvent the added protection of MFA. We'll explore four social engineering tactics hackers successfully use to breach MFA and emphasize the importance of having a strong password as part of a layered defense.

1. Adversary-in-the-middle (AITM) attacks

AITM attacks involve deceiving users into believing they're logging into a genuine network, application, or website. But really, they're giving up their information to a fraudulent lookalike. This lets hackers intercept passwords and manipulate security measures, including MFA prompts. For instance, a spear-phishing email may arrive in an employee's inbox, posing as a trusted source. Clicking on the embedded link directs them to a counterfeit website where hackers collect their login credentials.

While MFA should ideally prevent these attacks by requiring an additional authentication factor, hackers can employ a technique known as '2FA pass-on.' Once the victim enters their credentials on the fake site, the attacker promptly enters the same details on the legitimate site. This triggers a legitimate MFA request, which the victim anticipates and readily approves, unwittingly granting the attacker complete access.

This is a common tactic for threat groups such as Storm-1167 , who are known for crafting fake Microsoft authentication pages to harvest credentials. They also create a second phishing page that mimics the MFA step of the Microsoft login process, prompting the victim to put in their MFA code and grant the attackers access. From there, they gain access to a legitimate email account and can use it as a platform for a multi-stage phishing attack.

2. MFA prompt bombing

This tactic takes advantage of the push notification feature in modern authentication apps. After compromising a password, attackers attempt to login which sends an MFA prompt to the legitimate user's device. They rely on the user either mistaking it for a genuine prompt and accepting it or becoming frustrated with continuous prompts and accepting one to stop the notifications. This technique, known as MFA prompt bombing , poses a significant threat.

In a notable incident, hackers from the 0ktapus group compromised an Uber contractor's login credentials through SMS phishing, then continued with the authentication process from a machine they controlled and immediately requested a multi-factor authentication (MFA) code. They then impersonated an Uber security team member on Slack, convincing the contractor to accept the MFA push notification on their phone.

3. Service desk attacks

Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment. A recent example was the MGM Resorts attack , where the Scattered Spider hacker group fraudulently contacted the service desk for a password reset, giving them a foothold to log in and launch a ransomware attack.

Hackers also try to exploit recovery settings and back-up procedures by manipulating service desks to circumvent MFA. 0ktapus have been known to resort to targeting an organization's service desk if their MFA prompt bombing proves unsuccessful. They'll contact service desks claiming their phone is inoperable or lost, then request to enroll in a new, attacker-controlled MFA authentication device. They can then exploit the organization's recovery or backup process by getting a password reset link sent to the compromised device. Concerned about service desk security gaps? Learn how to secure yours .

4. SIM swapping

Cybercriminals understand MFA often relies on cell phones as a means of authentication. They can exploit this with a technique called a 'SIM swap', where hackers deceive service providers into transferring a target's services to a SIM card under their control. They can then effectively take over the target's cell service and phone number, letting them intercept MFA prompts and gain unauthorized access to accounts.

After an incident in 2022, Microsoft published a report detailing the tactics employed by the threat group LAPSUS$ . The report explained how LAPSUS$ dedicates extensive social engineering campaigns to gaining initial footholds in target organizations. One of their favored techniques is targeting users with SIM-swapping attacks, along with MFA prompt bombing, and resetting a target's credentials through help desk social engineering.

You can't fully rely on MFA – password security still matters

This wasn't an exclusive list of ways to bypass MFA. There are several others ways too , including compromising endpoints, exporting generated tokens, exploiting SSO, and finding unpatched technical deficiencies. It's clear that setting up MFA doesn't mean organizations can forget about securing passwords altogether.

Account compromise still often starts with weak or compromised passwords. Once an attacker obtains a valid password, they can then shift their focus towards bypassing the MFA mechanism. Even a strong password can't protect users if it's been compromised through a breach or password reuse . And for most organizations, going fully passwordless won't be a practical option.

With a tool like Specops Password Policy , you can enforce robust Active Directory password policies to eliminate weak passwords and continuously scan for compromised passwords resulting from breaches, password reuse, or being sold after a phishing attack. This ensures that MFA serves as an additional layer of security as intended, rather than being solely relied upon as a silver-bullet solution. If you're interested in exploring how Specops Password Policy can fit with your organization's specific needs, please contact us .

Cybersecurity Solution of the Week

The Hacker News

Key Features:

  • Enable secure work from anywhere
  • Protect information from diverse threats
  • Allow users to work on any healthy device
  • Enable digital business transformation and cloud migration
  • Reduce attack surface
  • Consolidate security services in the cloud

Cybersecurity

Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

IMAGES

  1. mfa app password not working

    mfa app password not working

  2. Multi Factor (MFA) App Password Missing or Blank

    mfa app password not working

  3. What to do if you cannot create an app password Microsoft 365

    mfa app password not working

  4. FAQ: How can I create an app password if my device doesn't support MFA

    mfa app password not working

  5. mfa app password not working

    mfa app password not working

  6. Part 2: MFA Self-Service Password Reset (MS Authenticator)

    mfa app password not working

VIDEO

  1. Zoo Rolet Jitne Ka Tarika

  2. free spin #fcmobile #shorts #viral

  3. 5g Ran Withdraw Update|5G Ran Latest Update|5G Ran frozen Account|5G Withdraw Problem Solve|

  4. India army status#viral #shots #shortsfeed #army attitude #motivation #viral

  5. Paano mag OFF ng Data internet sa mga App na hindi ginagamit

  6. Easypaisa Email Verification Problem Solved 2023

COMMENTS

  1. Office 365 MFA

    Office 365 MFA - App password not working / continuous password prompts Recently we started enabling Office 365 MFA for users at our company. We have walked them through the process of setting up MFA and creating App Passwords. Some people are able to use that app password, and can get into Outlook 2016 without issue. HOWEVER some are not.

  2. Manage app passwords for two-step verification

    If you're using your work or school account (such as, [email protected]), two-factor verification, and Microsoft 365 apps in your organization, you can manage your app passwords from the Office 365 portal page. For detailed instructions, see "Create and delete app passwords using the Office 365 portal" in this article.

  3. Troubleshoot problems using Microsoft Authenticator

    If passwordless sign-in doesn't work, try signing in with a username and password and use a time-based one-time password (TOTP) in Authenticator for two-factor authentication as a temporary workaround. Make sure notifications work Check if push notifications are turned on for the device and Authenticator.

  4. Common problems with two-step verification for a work or school account

    Sign in to your account but select the Sign in another way link on the Two-factor verification page. If you don't see the Sign in another way link, it means that you haven't set up any other verification methods. You'll have to contact your administrator for help signing into your account.

  5. Configure app passwords for Microsoft Entra multifactor authentication

    App password names. App password names should reflect the device on which they're used. If you have a laptop that has non-browser applications like Outlook, Word, and Excel, create one app password named Laptop for these apps. Create another app password named Desktop for the same applications that run on your desktop computer.. It's recommended to create one app password per device, rather ...

  6. Troubleshoot Azure Multi-Factor Authentication issues

    This article contains information to help you troubleshoot common issues that you may encounter when you use Windows Multi-Factor Authentication for Microsoft Office 365 or Microsoft Azure. Original product version: Cloud Services (Web roles/Worker roles), Microsoft Entra ID, Microsoft Intune, Azure Backup, Office 365 Identity Management.

  7. Troubleshooting: Cannot create app password in Office 365

    Allow users to create app passwords. Open the Microsoft 365 admin center and go to Users > Active users. Click the Multi-factor authentication button while no users are selected. This will let you access MFA settings. You need to be in the Authentication Administrator Azure AD role (or a Global Administrator) to have access to this resource.

  8. Using Office 365 App Password & Multi-Factor Authentication

    Click your avatar or user icon in the right top corner and then click the My account option. In the Security & privacy menu find the Additional security verification option. Click Create and manage app passwords . To make this option available, sign in to the Azure portal and check the Multi-factor authentication settings page.

  9. App password is not working.

    Allow users to create App Passwords in Office 365 | Multi-factor Authentication Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. 1 vote Sign in to comment Sign in to answer App password is not working for one account what to do.

  10. Unable to use the app passwords feature

    Select the user and click on manage user settings. Select the two options as below. Sign out the user from all sessions using the Microsoft 365 Admin portal . Ask the user to sign in again . This should work . If this does not work please try to enforce the MFA settings as shown below from the MFA administration panel.

  11. Troubleshoot when Outlook won't take your app password

    It is not accepting the app password either. And when I fix it on one computer, the same fix does not work on another computer. This how-to will explain the steps that I tried and eventually got each one working. 9 Steps total Step 1: Delete all existing app passwords that aren't working or in use. Step 2: Create a new app password and save it ...

  12. [SOLVED] Issues with O365 app passwords

    We've been using Office 365 sync'd with AzureAD for years, no on-prem exchange boxes here, and implemented MFA a couple months ago. Since then we have had occasional tickets where people's "App Passwords" (AP) have stopped working and outlook/skype will start prompting them.

  13. Using app passwords with apps that don't support two-step verification

    Go to the Security basics page and sign in to your Microsoft account. Select More security options . Under App passwords , select Create a new app password. A new app password is generated and appears on your screen. Enter this app password where you would enter your normal Microsoft account password in the application.

  14. Solved: MFA Authentication or APP Passwords

    1. Does it cause problems? (will it keep asking for MFA authorization every time the flow runs?) 2. If it does, for Office 365 in turn for SharePoint, using App Passwords a reasonable alternative? https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-us... Can anyone shed some light for me? Thanks Solved!

  15. Troubleshoot Multi-Factor Authentication Issues

    Make sure that the box next to Automatic is checked. To turn it off, go to Settings > Date & Time. Tap the box next to Automatic to un-check it. iOS Devices - Go to Settings > General > Date & Time. Enable Set Automatically. If this setting was already enabled, you can disable it for a moment, then re-enable.

  16. MFA for custom applications

    Objective: To enable MFA for a Web App (Which can't use phone as the second factor for authentication) Solution: 1. In Azure AD, created a user who is also a co-administrator for my Azure subscription. 2. Enabled MFA for the user. 3. Created a Web App through Visual Studio with Authentication Option set to "Organisational Account", as mentioned in this video: Azure-Identity-103-Vittorio ...

  17. Office365 MFA app specific password not w…

    By enabling MFA in Office365 account, an app password generated for non-Microsoft applications to use, but Apple Mail does not--for me at least--successfully use it to connect. I continually get an exception message indicating that the Mail application cannot verify account name or password. I can successfully use MFA on iOS devices, just not ...

  18. Office365 MFA app password not working wi…

    7 points Office365 MFA app password not working with MacOS Apple Mail I actually encountered this problem myself and found a way to solve it. However, the original thread has been closed without proper answer. Hence I want to document for people who has this same issue.

  19. Send Mail (SMTP) through Office 365 with MFA

    The starting point to find that solution was Microsoft 365 Admin Center > Settings > Org settings > Services > Modern authentication. The link to the above mentioned documentation is provided in description of Modern authentication. Now I'm able to send emails by SMTP protocol with using an app password from MFA enabled account.

  20. [SOLVED] IOS Mail app with O365 MFA

    Although I have configured Outlook on all of my users' devices, a depressing number of them insist on using iOS mail, and supporting it is a giant pain in my rear, and it would make things a lot easier if it would work with MFA the way Outlook does. I've read some stuff online implying IOS mail can be made to work with O365 MFA, but I can never ...

  21. How to proactively prevent password-spray attacks on legacy email

    Next go to Entra.microsoft.com in Application Settings and look for App Registrations. Ensure you have identified and recognized the applications listed. Don't panic if you see a P2PServer ...

  22. Turning off App Passwords in Multi-Factor Authentication

    In reply to Steve Thornton Solid Ground's post on February 14, 2018. Dude, after you configure it for "do not allow the user to create app passwords" then it will no longer create an app password for the user. If you are using apps that are not compatible with MFA, then you have to leave it set to allow users to create app passwords and use ...

  23. If Modern Authentication is forced, are app passwords still working

    If Modern Authentication is forced, are app passwords still working? Gunter Reinitzer 21 Sep 6, 2022, 7:25 AM Microsoft announced that with Modern Authentication starting from October 1st 2022 basic authentication will be disabled.

  24. 4 Ways Hackers use Social Engineering to Bypass MFA

    3. Service desk attacks. Attackers deceive helpdesks into bypassing MFA by feigning password forgetfulness and gaining access through phone calls. If service desk agents fail to enforce proper verification procedures, they may unknowingly grant hackers an initial entry point into their organization's environment.