Outlook.com, two-factor authentification and WLM
jsmith99
Posts: 20,382
Forum Member
✭✭✭
This afternoon I decided to set my main outlook.com mail account to use two factor authentification (TFA).
It all went more smoothly than I thought it would :
Logged in to account on laptop: received a code by SMS, and ticked to set my laptop as a "trusted device".
Logged in on iPad : received a code by email, set iPad as "trusted device". Also sent and received emails directly on iPad,
(i.e. not logged in to web account) without problem.
However, when I tried to use Windows Live Mail, it kept asking me for the password. Deleting the account and introducing it again (twice, as new account and importing the .iaf file) made no difference.
Googling suggested two solutions :
1. Set it up as POP3, not "Delta Sync",
Tried it, still didn't work
2. Outlook.com has apps for "other devices".
There isn't one specifically for WLM, but I tried anyway .... didn't work.
To check whether the problem lay with WLM or Outlook, I downloaded and installed Thunderbird. I set up a different outlook address, plus an alias : they worked.
Then I set up my main outlook address : again, it kept asking for the password.
In the end, I logged back into outlook.com, and cancelled the TFA. Guess what - my account now worked, in both WLM and Thunderbird.
Hope that all made sense - it accounted for about 5 hours of my day!
SO, given that both outlook.com and WLM come from microsoft, is ther any reason they can't work together? Or did I miss a step?
(I must say I liked the look of Thunderbird - very clean layout compared to WLM. However, there were a number of functions I couldn't find, like exporting accounts or messages).
It all went more smoothly than I thought it would :
Logged in to account on laptop: received a code by SMS, and ticked to set my laptop as a "trusted device".
Logged in on iPad : received a code by email, set iPad as "trusted device". Also sent and received emails directly on iPad,
(i.e. not logged in to web account) without problem.
However, when I tried to use Windows Live Mail, it kept asking me for the password. Deleting the account and introducing it again (twice, as new account and importing the .iaf file) made no difference.
Googling suggested two solutions :
1. Set it up as POP3, not "Delta Sync",
Tried it, still didn't work
2. Outlook.com has apps for "other devices".
There isn't one specifically for WLM, but I tried anyway .... didn't work.
To check whether the problem lay with WLM or Outlook, I downloaded and installed Thunderbird. I set up a different outlook address, plus an alias : they worked.
Then I set up my main outlook address : again, it kept asking for the password.
In the end, I logged back into outlook.com, and cancelled the TFA. Guess what - my account now worked, in both WLM and Thunderbird.
Hope that all made sense - it accounted for about 5 hours of my day!
SO, given that both outlook.com and WLM come from microsoft, is ther any reason they can't work together? Or did I miss a step?
(I must say I liked the look of Thunderbird - very clean layout compared to WLM. However, there were a number of functions I couldn't find, like exporting accounts or messages).
0
Comments
This is done in the security section of the Microsoft account website.
A little more searching found a couple of items :
1. I should have added it to the normal password, though this was in relation to a different client, not WLM.
2. A statement, I think by Microsoft, that TFA just did not work with WLM.
I'd disabled TFA by then anyway. So I'm now relying on a stronger password. Which is a pity, because I like the idea of TFA, especially when you can specify that it not be used with your usual devices.
IvanIV : You made TFA work with WLM? Could you explain what you did?
This message was posted on 25/4/13 on what seems to be an official microsoft forum :
http://answers.microsoft.com/en-us/windowslive/forum/livemail-signin/how-to-enable-tfa-for-windows-live-mail/82b36980-9ed0-469c-b27a-b39ae1965aaf
ETA: the computer probably doesn't have to be trusted, it already was and I do not know where I can un-trust it. It's W7 and I do not know where to remove it selectively...
I think the point is that it's not a single passcode, you get a different one every time you log in (though it's not clear on the website, it may be a static code).
Logging in on the outlook website, you simply get a webpage asking for the code. Similarly on the iPad, though I've no idea how that works. The page also has the tickbox to say that this is a trusted device.
WLM (and Thunderbird) simply send a message containing account name and password. There's no provision in the settings to send anything else.
That's my theory, anyway : there's no interaction provision with WLM.
IvanIV :
I'll have another try, maybe tonight or tomorrow.
The next screen will show an automatically generated password which you can put in to WLM (or any other programme that doesn't support TFA) instead of your normal password and this will allow that app to bypass TFA, so it doesn't need to be able to send any extra code.
IvanIV: I have TFA enabled and SkyDrive (and all other stuff) works fine for me on WP7 - what issues are you seeing?
Is your phone trusted? How did you do it if yes? I had to enter the code, but then I was not able to use it with Office, for example. I think I need to make the phone trusted to make this work.
Ah, I used an app password - no need to be trusted then. Have you tried logging in to your account via the browser? Then you should get a check box to make the device trusted - not sure whether this would have any effect on the office apps though or just Internet Explorer.
I set up a test account, and set it to TFA. Logging in to the account, I got a pass code and I ticked "trust this device". I did the same on iPad.
I realised that I'd been going to the wrong place to get the password for WLM. You don't use "security info" on the left, you go to "account overview" and, on that page, scroll down to "edit security info". On the next page, you select "Create a new app password".
That's the password you use in WLM instead of your account password.
That all went smoothly - on the test account.
Changing to my real account, most of it went smoothly. Eventually, I got it sorted out, On WLM. For some reason, it wasn't so easy when I tried it on Thunderbird.
Anyway, a few hours later, I could send and receive on my TB accounts. That's when I found a new problem - my BT mail accounts hadn't set themselves up properly - there were no accounts for them, and they were sending and receiving via "Local folders". So I deleted them, and I'll look at them later.
So I logged in to my account from my iPad and got another app password. I copied and pasted this into my mail account, and it worked.
I also noticed an option for "remove old passwords", but I'm a bit wary of this. I now have four different app passwords :
real and test accounts
WLM on laptop and mail on iPad.
If I remove old passwords, will any of these disappear? And can I just get one password from the laptop, and use this for laptop and iPad? I tried that, and it didn't work, but there could be a variety of reasons for that.
It's best to use one app password per different application - you're not really supposed to keep a record of these passwords yourself. Just copy, paste, tick 'remember password' (or similar) in your app and forget about it.
Yeah, that's the gist of it - I like how Google and Facebook do it better, though. They will only show you the password once, but you can give the app/device a name - once you stop using that app/device you can revoke that one password. It stops you having a load of redundant passwords lying about.
With Microsofts way I think I already have two or three passwords that can be used to be access my account if somebody somehow guesses them, but to get rid of them I need to reconfigure all of my things using app passwords. Not good.
ETA: Also I think it's likely they keep track of a MAC address the app password is used from once it was used for the first time. That would make the app password unusable if anybody stole it somehow. This is easy to test.
It doesn't need to be a trusted device for app passwords to work. There isn't really any way to trust the device.
The passwords I've had so far have been lower case alphanumeric - I can't remember how long though. But with several passwords and no special characters it's not ideal.
I agree that it's unlikely to be an issue, but other implementations of TFA have this sorted and it is interesting that Microsoft have chosen not to do it.
You cannot log on with a browser into your account with an app password. You use your original password and depending on if your device is trusted you need the code or not. App passwords are for applications that access your account, but they cannot manage it. Yes, it's still bad a damage can be done, but if they are any clever at MS they block the access to an account after several unsuccessful logins. So it would have to be someone who knows you and knows where you kept those funny passwords. If they can be reused at all. Which I doubt.
Indeed.
Well, you can test that theory and find them stupid But if a stupid message board suspended my next tries for 15 minutes after I tipped my password wrong three times, MS may know this trick, too.