IT Connect
Your connection to information technology at the UW

What 2FA does not cover in the Microsoft ecosystem

This document is intended to explain what Microsoft products, services, and applications don’t benefit from having UW MFA for the web enabled.

Summary

Enabling ‘UW Duo 2FA for the web’ provides an additional security control to help mitigate the risk of UW NetID password compromise. Enabling ‘UW Duo 2FA for the web’ does not mitigate all scenarios where a UW NetID is used.

It generally only covers scenarios where the UW identity provider (idp.washington.edu) or Azure AD are providing the authentication for the web application. However, there are some scenarios with Azure AD authentication that are not covered. The scenarios that are not covered are because the client application does not support modern authentication protocols for the web. In many cases, you can update your client application or change to an alternative client application to be covered. At some point in the future, we expect non-modern authentication to be blocked.

Note: If you want to enable 2FA for non-web scenarios that involve Microsoft products, there may be other solutions available. For example, you can require Duo to log on to a Windows computer. Email help@uw.edu to find out more.

How do I know whether a web application uses Azure AD for authentication?

When you go to the application, if it sends you to a Microsoft sign in page, it is likely using Azure AD for authentication. That Microsoft sign in page will look like this:

If you generally enter myUwNetId@uw.edu into that page, then it is definitely Azure AD. If you enter some other username, then it may be a Microsoft account, i.e. a consumer account not associated with the UW.

What client applications are known to not use modern authentication protocols?

This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.

  • Outlook 2013 without special settings enabled (we recommend you upgrade)
  • Outlook 2010 or earlier
  • Mac Mail on Mac OS 10.13 or earlier
  • Thunderbird
  • Eudora
  • Pine
  • Android Touchdown
  • Android BlueMail
  • Any client application on iPhone 5 and lower (can use browsers to OWA)
  • Any client application on iPad 4th generation and lower (can use browsers to OWA)
  • Mail on iOS 10 or lower
  • Any client application on Chromebooks (can use browsers to OWA)
  • Most IMAP4 or POP3 clients
  • Exchange Online PowerShell module
Last reviewed April 27, 2020