How to Add Two-Factor Authentication to Outlook Web App (OWA)

We developed two products for Outlook OWA 2FA: the first product is Protectimus OWA, developed specifically for Office OWA integration; the second solution is Protectimus DSPA which adds 2FA directly to Active Directory

If you read this article, you probably know the answer to the “what is OWA” question. But just in case — OWA Outlook is a browser email client to access Microsoft Outlook without any on-premises installations for Exchange 2013, Exchange 2010 users. For Microsoft Outlook update for Microsoft Exchange 2016 it was rebranded as “Outlook on the web”. OWA Outlook online provides access not only to email, but to other personal information like calendar, contacts, and tasks, and is widely used by businesses all over the world. With such sensitive data involved, OWA two-factor authentication becomes imperative.

We developed two products for Outlook OWA 2FA. The first product is Protectimus OWA, developed specifically for Office OWA integration. The second solution is Protectimus DSPA which adds 2FA directly to the repository (Active Directory, Lightweight Directory Access Protocol, databases) and thus adds MFA to everything linked to the business AD, LDAP, etc.

Today we will give you an in depth look into both methods. We will describe their work, show you how to implement each solution and list the tokens that support them.

Method 1. Use Protectimus OWA 2FA Plugin

Our Exchange OWA plugin is designed to integrate Outlook 2-factor authentication for mail on Microsoft Exchange 2016, Exchange 2013 as well as 2019. Protectimus installation wizard finishes a Microsoft MFA setup in 15 min tops.

How it works

With the plugin from Protectimus, OWA multi-factor authentication will be integrated with the OWA app only, nothing else. This method requires registering to Protectimus cloud service or downloading our MFA platform (contact out ), setting it up and starting the installation wizard. That is it.

This product for OWA two-factor authentication runs either in cloud, or locally. The customer gets all the advanced features like geo and time filters, IP filters, analysis of the user environment etc. Every Protectimus token works with this plugin, and it supports third-party tokens as well.

Supported tokens

All the MFA tokens are divided into software and hardware kinds. The divide is derived from the secret key (seed) implementation. Since we are focused solely on Microsoft Outlook Exchange login here, we won’t delve into details on how 2FA works. But you can always read other articles on our blog for more info on various MFA specifics. For now let’s just mention the tokens Protectimus OWA two-factor authentication supports:

  • Hardware device that looks like a credit card.
  • Programmable secret key. Which means — the token can be reprogrammed.
  • 3–5 years battery life.
  • Waterproof.
  • $29.99/token.
  • Hardware token, slightly bulkier than Slim NFC.
  • Secret key is hardcoded, which means the token can be used for one app/website only.
  • 3–5 years battery life.
  • Waterproof and shockproof.
  • $11.99/item.
  • Software token — 2FA app for iOS and Android.
  • Protected with PIN.
  • Can be used on multiple apps/websites simultaneously.
  • Free.
  • Software token.
  • OWA auth OTPs are delivered via chatbots in Telegram, Facebook Messenger, Viber.
  • Free.
  • Software token.
  • OTPs for OWA login are delivered via email. (The passwords have to be sent to different email clients, not OWA email)
  • Free.
  • Software token.
  • OWA webmail login one-time passwords are sent via SMS. With the on-premise option, any SMS service can be employed.
  • $2 per user per month.

As for the third party tokens — our OWA webmail 2FA supports any tokens that work on OATH standard algorithms. We support several of the most popular tokens from other OWA two-factor authentication providers, so the integration should not take too much effort on your part but you’ll still need a bit deeper knowledge of your token.

How to set up Outlook Web App 2-factor authentication with Protectimus OWA

First, get the OWA multi-factor authentication installer. Then register and sign in Protectimus cloud service and follow these steps:

  • Add Resource. Only the Resource Name is obligatory, the rest of the parameters are optional.
  • Add Users. Add a user’s Login, other parameters are optional. The user Login has to be login@domain, where login is the username in Active Directory, and domain is the corporate domain.
  • Add Tokens. As you already know any OATH tokens may be used, but we will use Protectimus Smart.
  • Add the Token Name. Using the Protectimus app scan the QR with the seed encoded. Input the OTP code you see next and click Save.
  • Assign Tokens to Users. Return to the Users and match the tokens with the appropriate users: click Assign Token — Existing, select the required token, and click Assign.
  • Assign Tokens and Users to the Resource. Go to the Resources page, click the Assign button, choose a Token-User combination, and select the tokens that should be accredited to the resource.
  • Run the installation wizard as administrator. When you see the welcome message — click Next to proceed.
  • Accept the terms in the License Agreement after attentively reading them, push the “Next” button.
  • Choose the folder where you want the app installed, and press Next.
  • Add API URL, Login, API Key, and Resource ID (API URL: https://api.protectimus.com/; API Login: the email of your Protectimus Service account login; API Key: you’ll find it on the Profile page; Resource ID: can be found on the Resources page.
  • Click Next to continue.
  • Everything is ready. Click Install and finish the process.
  • Outlook web access two-factor authentication is enabled now.

Here’s a video to illustrate the above steps:

Method 2. Use Protectimus Dynamic Strong Password Authentication to enable OWA two-factor authentication through AD

Unlike Protectimus OWA, DSPA was designed to add MFA to everything hooked up to Active Directory, which includes OWA Outlook Web App for Outlook Exchange 2010.

How it works

After DSPA is deployed the users’ passes in Active Directory, and with it in Outlook Exchange, get a second dynamic part in addition to the common user password.

The dynamic password is a one-time password generated on the basis of TOTP algorithm, this means these OTPs expire in a few seconds or minutes. The passwords’ lifespan can be set up by the admin and can be anything from a few seconds to hours.

An Outlook Web Access password created with the dynamic component will be something like “Passcode855511”, where “Passcode” is the user’s static pass, and “855511” is the changing OTP added by the dynamic pass component.

For Protectimus DSPA to work you will need Protectimus on premises solution (the price starts from $199/month).

Supported tokens

Since DSPA allows the admins to set the OTP lifetime as long as they like, the tokens, which will deliver those OTPs, have to support this feature as well. This pegs down the token choice significantly.

  • MFA mobile app for iOS and Android.
  • PIN protected.
  • Can be used with multiple apps/websites simultaneously.
  • Free
  • You can opt for classic hardware tokens if you are ok with the 30–60 seconds OTP lifespan.
  • Or you can order custom devices for your company. To do that chat with us.

How to integrate Outlook two-factor authentication applying DSPA

Configuring Protectimus on-premise for AD, and Microsoft OWA alongside, is as easy and effortless as the Protectimus OWA setup:

1. Install Protectimus MFA Platform. Request the platform with DSPA and installation instructions from us.

2. Add users. On the Users tab, choose Add User. Then check the LDAP User box. The Login has to be the user’s AD Common Name. Each end-user needs an email address, an admin has to add them on this step.

3. Create a resource. On the Resources tab, choose Add Resource. Check the LDAP box.

4. Assign Users to the Resource. Next, the Users are to be attached to the Resource. In the Resources tab, click Assign -> Users. Only LDAP users can be assigned to an LDAP resource.

5. Enable Self-Service. Find and check “Enable User’s Self-Service for This Resource” in the new resource. Come up with the URL for your end-users to access the page by adding a custom part to the link. If we add “mywebowa”, the link would be https://service.protectimus.com/selfservice/mywebowa

6. Make your Users create tokens via Self-Service. Each user has to create their own tokens and add their static passes to them. Give the link you came up with to each end-user. Ask them to sign in with their Common Name and the OTPs emailed to the addresses you added in the second step. Every user needs to register a New Token (let them know what time interval to choose) and to add their AD unchanging passcode.

Conclusions

OWA intermedia security settings are not sufficient enough if you want your business OWA mail and everything connected to it to be truly secure. Both two-factor authentication outlook options we offer are good, which one to choose depends on your needs and the quantity of users you have. If you want to protect everything, not only web Outlook, and you have more than 200 users — opt for DSPA. If all you need to protect is webmail OWA and the quantity of users is small — Protectimus OWA is the way to go.
If after reading this article, you still have any questions on our Microsoft Outlook web app 2FA solutions, or you hesitate on which one to choose — do contact us. We are here to help you protect your Microsoft Exchange Outlook web access.

Read also:

Originally published at https://www.protectimus.com on July 9, 2020.

Two-factor authentication solutions for business. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/