How to Add Two-Factor Authentication to Outlook Web App (OWA)

We developed two products for Outlook OWA 2FA: the first product is Protectimus OWA, developed specifically for Office OWA integration; the second solution is Protectimus DSPA which adds 2FA directly to Active Directory

If you read this article, you probably know the answer to the “what is OWA” question. But just in case — OWA Outlook is a browser email client to access Microsoft Outlook without any on-premises installations for Exchange 2013, Exchange 2010 users. For Microsoft Outlook update for Microsoft Exchange 2016 it was rebranded as “Outlook on the web”. OWA Outlook online provides access not only to email, but to other personal information like calendar, contacts, and tasks, and is widely used by businesses all over the world. With such sensitive data involved, OWA two-factor authentication becomes imperative.

Method 1. Use Protectimus OWA 2FA Plugin

Our Exchange OWA plugin is designed to integrate Outlook 2-factor authentication for mail on Microsoft Exchange 2016, Exchange 2013 as well as 2019. Protectimus installation wizard finishes a Microsoft MFA setup in 15 min tops.

How it works

With the plugin from Protectimus, OWA multi-factor authentication will be integrated with the OWA app only, nothing else. This method requires registering to Protectimus cloud service or downloading our MFA platform (contact out ), setting it up and starting the installation wizard. That is it.

Supported tokens

All the MFA tokens are divided into software and hardware kinds. The divide is derived from the secret key (seed) implementation. Since we are focused solely on Microsoft Outlook Exchange login here, we won’t delve into details on how 2FA works. But you can always read other articles on our blog for more info on various MFA specifics. For now let’s just mention the tokens Protectimus OWA two-factor authentication supports:

Protectimus Slim NFC

  • Programmable secret key. Which means — the token can be reprogrammed.
  • 3–5 years battery life.
  • Waterproof.
  • $29.99/token.

Protectimus TWO

  • Secret key is hardcoded, which means the token can be used for one app/website only.
  • 3–5 years battery life.
  • Waterproof and shockproof.
  • $11.99/item.

Protectimus SMART OTP

  • Protected with PIN.
  • Can be used on multiple apps/websites simultaneously.
  • Free.

Protectimus BOT

  • OWA auth OTPs are delivered via chatbots in Telegram, Facebook Messenger, Viber.
  • Free.

Protectimus MAIL

  • OTPs for OWA login are delivered via email. (The passwords have to be sent to different email clients, not OWA email)
  • Free.

Protectimus SMS

  • OWA webmail login one-time passwords are sent via SMS. With the on-premise option, any SMS service can be employed.
  • $2 per user per month.

How to set up Outlook Web App 2-factor authentication with Protectimus OWA

First, get the OWA multi-factor authentication installer. Then register and sign in Protectimus cloud service and follow these steps:

  • Add Users. Add a user’s Login, other parameters are optional. The user Login has to be login@domain, where login is the username in Active Directory, and domain is the corporate domain.
  • Add Tokens. As you already know any OATH tokens may be used, but we will use Protectimus Smart.
  • Add the Token Name. Using the Protectimus app scan the QR with the seed encoded. Input the OTP code you see next and click Save.
  • Assign Tokens to Users. Return to the Users and match the tokens with the appropriate users: click Assign Token — Existing, select the required token, and click Assign.
  • Assign Tokens and Users to the Resource. Go to the Resources page, click the Assign button, choose a Token-User combination, and select the tokens that should be accredited to the resource.
  • Run the installation wizard as administrator. When you see the welcome message — click Next to proceed.
  • Accept the terms in the License Agreement after attentively reading them, push the “Next” button.
  • Choose the folder where you want the app installed, and press Next.
  • Add API URL, Login, API Key, and Resource ID (API URL: https://api.protectimus.com/; API Login: the email of your Protectimus Service account login; API Key: you’ll find it on the Profile page; Resource ID: can be found on the Resources page.
  • Click Next to continue.
  • Everything is ready. Click Install and finish the process.
  • Outlook web access two-factor authentication is enabled now.

Method 2. Use Protectimus Dynamic Strong Password Authentication to enable OWA two-factor authentication through AD

Unlike Protectimus OWA, DSPA was designed to add MFA to everything hooked up to Active Directory, which includes OWA Outlook Web App for Outlook Exchange 2010.

How it works

After DSPA is deployed the users’ passes in Active Directory, and with it in Outlook Exchange, get a second dynamic part in addition to the common user password.

Supported tokens

Since DSPA allows the admins to set the OTP lifetime as long as they like, the tokens, which will deliver those OTPs, have to support this feature as well. This pegs down the token choice significantly.

Protectimus Smart OTP

  • PIN protected.
  • Can be used with multiple apps/websites simultaneously.
  • Free

Custom hardware tokens

  • Or you can order custom devices for your company. To do that chat with us.

How to integrate Outlook two-factor authentication applying DSPA

Configuring Protectimus on-premise for AD, and Microsoft OWA alongside, is as easy and effortless as the Protectimus OWA setup:

Conclusions

OWA intermedia security settings are not sufficient enough if you want your business OWA mail and everything connected to it to be truly secure. Both two-factor authentication outlook options we offer are good, which one to choose depends on your needs and the quantity of users you have. If you want to protect everything, not only web Outlook, and you have more than 200 users — opt for DSPA. If all you need to protect is webmail OWA and the quantity of users is small — Protectimus OWA is the way to go.
If after reading this article, you still have any questions on our Microsoft Outlook web app 2FA solutions, or you hesitate on which one to choose — do contact us. We are here to help you protect your Microsoft Exchange Outlook web access.

Read also:

Two-factor authentication solutions for business. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store