Digital Spy

Search Digital Spy
 

DS Forums

 
 

Outlook.com, two-factor authentification and WLM


Reply
Thread Tools Search this Thread
Old 15-06-2013, 22:57
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669

This afternoon I decided to set my main outlook.com mail account to use two factor authentification (TFA).

It all went more smoothly than I thought it would :

Logged in to account on laptop: received a code by SMS, and ticked to set my laptop as a "trusted device".

Logged in on iPad : received a code by email, set iPad as "trusted device". Also sent and received emails directly on iPad,
(i.e. not logged in to web account) without problem.

However, when I tried to use Windows Live Mail, it kept asking me for the password. Deleting the account and introducing it again (twice, as new account and importing the .iaf file) made no difference.

Googling suggested two solutions :

1. Set it up as POP3, not "Delta Sync",

Tried it, still didn't work

2. Outlook.com has apps for "other devices".

There isn't one specifically for WLM, but I tried anyway .... didn't work.

To check whether the problem lay with WLM or Outlook, I downloaded and installed Thunderbird. I set up a different outlook address, plus an alias : they worked.

Then I set up my main outlook address : again, it kept asking for the password.

In the end, I logged back into outlook.com, and cancelled the TFA. Guess what - my account now worked, in both WLM and Thunderbird.

Hope that all made sense - it accounted for about 5 hours of my day!

SO, given that both outlook.com and WLM come from microsoft, is ther any reason they can't work together? Or did I miss a step?

(I must say I liked the look of Thunderbird - very clean layout compared to WLM. However, there were a number of functions I couldn't find, like exporting accounts or messages).
jsmith99 is offline   Reply With Quote
Please sign in or register to remove this advertisement.
Old 17-06-2013, 06:05
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
For older programmes like Windows Live Mail which don't natively support two factor auth you need to generate a separate app password for them which bypass the two factor auth.

This is done in the security section of the Microsoft account website.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 17-06-2013, 06:55
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
I made this work with an app password, but I had a problem with SkyDrive on my mobile. It needed the code, but it still did not work properly, so I cancelled the two step login. It needs a bit more work to iron out some issues.
IvanIV is offline   Reply With Quote
Old 17-06-2013, 09:39
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669
Wilt : I tried generating a password, and entered it instead of my email password. It was rejected.

A little more searching found a couple of items :

1. I should have added it to the normal password, though this was in relation to a different client, not WLM.

2. A statement, I think by Microsoft, that TFA just did not work with WLM.

I'd disabled TFA by then anyway. So I'm now relying on a stronger password. Which is a pity, because I like the idea of TFA, especially when you can specify that it not be used with your usual devices.

IvanIV : You made TFA work with WLM? Could you explain what you did?
jsmith99 is offline   Reply With Quote
Old 17-06-2013, 09:58
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
I think I did... it's been some time. Is the computer where you wanted to set up the WLM trusted? That may make a difference. But in the end SkyDrive integration did not work on my WP8 phone, so I reverted back to a normal password.
IvanIV is offline   Reply With Quote
Old 17-06-2013, 11:36
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669
IvanIV : Well, I trust my PC. I also ticked the box saying something on the lines of "Don't use TFA when logging in from this device".

This message was posted on 25/4/13 on what seems to be an official microsoft forum :

Welcome to Microsoft Community. At this moment, TFA ( Two factor authentication) is currently unavailable in Windows Live Mail. If you think that integrating this security authentication feauture of Outlook.com to Windows Live Mail is a great idea, you may submit this as feature request to Microsoft. Here is the link on where you can fill-up our feedback form.
http://answers.microsoft.com/en-us/w...a-b39ae1965aaf
jsmith99 is offline   Reply With Quote
Old 17-06-2013, 18:24
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
Interesting, I don't have WLM so am unable to see if I can get it working, but given that the app passwords are just alternative passwords that don't need the application to support TFA (that's the point of them, really), I am surprised that it doesn't work.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 17-06-2013, 18:29
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
It's clear WLM won't work fully with 2 step login because you cannot enter the code. What I tried right now - I set up 2-step login, set up the machine to be trusted (tested with login to outlook.com in web browser, no code required). WLM could not log on with the original password after this, so I generated an app password, entered that one, success, it even downloaded some new emails. But, there's a huge delay between sending and delivering emails sent to/from my outlook.com account. Don't know if there are some transient problems or Obama's boys have to to read them first I have connected my gmail account with outlook.com, maybe there are some problems there, the emails arived to gmail account But it looks like it works.

ETA: the computer probably doesn't have to be trusted, it already was and I do not know where I can un-trust it. It's W7 and I do not know where to remove it selectively...
IvanIV is offline   Reply With Quote
Old 18-06-2013, 10:19
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669
Wilt :

I think the point is that it's not a single passcode, you get a different one every time you log in (though it's not clear on the website, it may be a static code).

Logging in on the outlook website, you simply get a webpage asking for the code. Similarly on the iPad, though I've no idea how that works. The page also has the tickbox to say that this is a trusted device.

WLM (and Thunderbird) simply send a message containing account name and password. There's no provision in the settings to send anything else.

That's my theory, anyway : there's no interaction provision with WLM.

IvanIV :

I'll have another try, maybe tonight or tomorrow.
jsmith99 is offline   Reply With Quote
Old 18-06-2013, 11:08
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
An app password should work for anything that is not TFA aware. It's an alternative strong password generated by MS. You generate it in your MS account and then enter it in WLM instead of your regular one when prompted. This should work. What I mentioned yesterday about delays, they are caused by Outlook - Gmail connection. The accounts are not synchronised live. When I sent an email to/from my alias outlook email it arrived immediately. I'd like to use it, but I cannot because of SkyDrive for WP8. MS stopped somewhere in the middle. It's TFA aware, so you need the code, but it breaks the integration with the OS. I could not find a way to make the phone trusted
IvanIV is offline   Reply With Quote
Old 18-06-2013, 15:02
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
jsmith99: To create an app password you need to login at http://account.live.com, select 'Security info' from the sidebar, then scroll down to where it says 'App passwords' and then click 'Create a new app password'.

The next screen will show an automatically generated password which you can put in to WLM (or any other programme that doesn't support TFA) instead of your normal password and this will allow that app to bypass TFA, so it doesn't need to be able to send any extra code.

IvanIV: I have TFA enabled and SkyDrive (and all other stuff) works fine for me on WP7 - what issues are you seeing?
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 18-06-2013, 15:12
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
IvanIV: I have TFA enabled and SkyDrive (and all other stuff) works fine for me on WP7 - what issues are you seeing?

Is your phone trusted? How did you do it if yes? I had to enter the code, but then I was not able to use it with Office, for example. I think I need to make the phone trusted to make this work.
IvanIV is offline   Reply With Quote
Old 18-06-2013, 15:23
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
Is your phone trusted? How did you do it if yes? I had to enter the code, but then I was not able to use it with Office, for example. I think I need to make the phone trusted to make this work.
Ah, I used an app password - no need to be trusted then. Have you tried logging in to your account via the browser? Then you should get a check box to make the device trusted - not sure whether this would have any effect on the office apps though or just Internet Explorer.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 18-06-2013, 16:00
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
It's different for WP8. I am playing with it now and so far so good. I had to set an app password for email and enter the code for SkyDrive. Which is a PITA, because if I switch to read a textmessage and come back, it reloads the page. Authentificator app is useless, too, because when I finally can enter the code it's invalid. I'll see if the skydrive keeps working or if I have to enter a new code after restart.
IvanIV is offline   Reply With Quote
Old 18-06-2013, 16:31
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
It seems to work now. The trick was to check the checkbox when logging into account.live.com that the device is trusted and enter the code once. Now I can log on without the code. Email may work without the app password, too, but I am not testing that.
IvanIV is offline   Reply With Quote
Old 19-06-2013, 23:47
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669
I finally got it to work today, after many hours.

I set up a test account, and set it to TFA. Logging in to the account, I got a pass code and I ticked "trust this device". I did the same on iPad.

I realised that I'd been going to the wrong place to get the password for WLM. You don't use "security info" on the left, you go to "account overview" and, on that page, scroll down to "edit security info". On the next page, you select "Create a new app password".

That's the password you use in WLM instead of your account password.

That all went smoothly - on the test account.

Changing to my real account, most of it went smoothly. Eventually, I got it sorted out, On WLM. For some reason, it wasn't so easy when I tried it on Thunderbird.

Anyway, a few hours later, I could send and receive on my TB accounts. That's when I found a new problem - my BT mail accounts hadn't set themselves up properly - there were no accounts for them, and they were sending and receiving via "Local folders". So I deleted them, and I'll look at them later.
jsmith99 is offline   Reply With Quote
Old 20-06-2013, 07:24
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
Glad you got there. It can be a bit confusing. And I am glad I could finally make it work for me, too.
IvanIV is offline   Reply With Quote
Old 21-06-2013, 15:30
jsmith99
Forum Member
 
Join Date: Apr 2005
Posts: 14,669
Having got it to work one day, the next day my iPad asked for a password on my real account (my test account has no problems at all!).

So I logged in to my account from my iPad and got another app password. I copied and pasted this into my mail account, and it worked.

I also noticed an option for "remove old passwords", but I'm a bit wary of this. I now have four different app passwords :

real and test accounts
WLM on laptop and mail on iPad.

If I remove old passwords, will any of these disappear? And can I just get one password from the laptop, and use this for laptop and iPad? I tried that, and it didn't work, but there could be a variety of reasons for that.
jsmith99 is offline   Reply With Quote
Old 21-06-2013, 16:14
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
Yes the remove passwords link will remove all of your app passwords - something I find a bit odd. They need to implement a way to remove individual passwords so you don't end up with a load of redundant passwords lying around.

It's best to use one app password per different application - you're not really supposed to keep a record of these passwords yourself. Just copy, paste, tick 'remember password' (or similar) in your app and forget about it.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 21-06-2013, 17:09
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
I think you are not supposed to keep track what password belongs where. I just copy-paste them and forget them. It's only for your trusted devices. Deleting them all is so you can disable access from all your devices.
IvanIV is offline   Reply With Quote
Old 21-06-2013, 17:40
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
I think you are not supposed to keep track what password belongs where. I just copy-paste them and forget them. It's only for your trusted devices. Deleting them all is so you can disable access from all your devices.
Yeah, that's the gist of it - I like how Google and Facebook do it better, though. They will only show you the password once, but you can give the app/device a name - once you stop using that app/device you can revoke that one password. It stops you having a load of redundant passwords lying about.

With Microsofts way I think I already have two or three passwords that can be used to be access my account if somebody somehow guesses them, but to get rid of them I need to reconfigure all of my things using app passwords. Not good.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 21-06-2013, 17:55
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
You need to guess a password and an account, the way those passwords look it's near impossible. And even then it's only access to your email, or SkyDrive on WP7. You still need the code to get into your account from not trusted device. If your trusted device was stolen, you can untrust it and delete all passwords.

ETA: Also I think it's likely they keep track of a MAC address the app password is used from once it was used for the first time. That would make the app password unusable if anybody stole it somehow. This is easy to test.
IvanIV is offline   Reply With Quote
Old 21-06-2013, 18:00
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
You need to guess a password and an account, the way those passwords look it's near impossible. And even then it's only access to your email, or SkyDrive on WP7. You still need the code to get into your account from not trusted device. If your trusted device was stolen, you can untrust it and delete all passwords.
It doesn't need to be a trusted device for app passwords to work. There isn't really any way to trust the device.

The passwords I've had so far have been lower case alphanumeric - I can't remember how long though. But with several passwords and no special characters it's not ideal.

I agree that it's unlikely to be an issue, but other implementations of TFA have this sorted and it is interesting that Microsoft have chosen not to do it.
wilt is offline Follow this poster on Twitter   Reply With Quote
Old 21-06-2013, 18:06
IvanIV
Forum Member
 
Join Date: May 2006
Posts: 21,353
It doesn't need to be a trusted device for app passwords to work. There isn't really any way to trust the device.

The passwords I've had so far have been lower case alphanumeric - I can't remember how long though. But with several passwords and no special characters it's not ideal.

I agree that it's unlikely to be an issue, but other implementations of TFA have this sorted and it is interesting that Microsoft have chosen not to do it.
You cannot log on with a browser into your account with an app password. You use your original password and depending on if your device is trusted you need the code or not. App passwords are for applications that access your account, but they cannot manage it. Yes, it's still bad a damage can be done, but if they are any clever at MS they block the access to an account after several unsuccessful logins. So it would have to be someone who knows you and knows where you kept those funny passwords. If they can be reused at all. Which I doubt.
IvanIV is offline   Reply With Quote
Old 21-06-2013, 18:09
wilt
Forum Member
 
Join Date: Oct 2004
Location: Potterspury
Posts: 890
if they are clever at MS
Indeed.
wilt is offline Follow this poster on Twitter   Reply With Quote
 
Reply



Thread Tools Search this Thread
Search this Thread:

Advanced Search

 
Forum Jump


All times are GMT. The time now is 12:32.