MFA and App Passwords

There are some instances where applications within the Microsoft cloud space do not play well with MFA. Skype for Business is a good example. For these, Microsoft has built-in a mechanism to allow the user to create a unique and permanent password. These are called "app passwords", and users get one by default when enrolling in MFA. Up to 20 app passwords can be used per user at any given time, and best practices suggest that they be named in a way that clearly and concisely explains their purpose. Need an app password for Skype for Business? Call it "Skype for Business". Maybe even "S4B - personal iPad" if you have multiple devices. This comes in handy if the device is lost, stolen, or just replaced, because you can easily delete the right passwords for the right devices.

App passwords seem to cause a lot of confusion with three regards:

  1. They are only ever displayed once. Users are encouraged to copy the password to the clipboard and paste it into the Password field of whatever application needs it, check the box to save those credentials, and never need it again.

  2. They are only ever displayed once. Users lose passwords. Security mechanisms break. Applications get updated. Profiles get nuked. The user goes into a panic because they cannot call up the original password, and if they followed security best practices, it's not in a Notepad document on the desktop called "app_passwords.txt". The user need only log in to the Office 365 portal, delete the old app password, and create a new one. The name can be exactly the same as it was before.

  3. "Where do I enter this app password?" App passwords replace the user's (Azure) AD password for a given application. In the case of Skype for Business, the user just enters the app password where they traditionally entered their (Azure) AD password. This can also be true for Office 2010 and 2013 products, and on some mobile devices.

The first time a user is prompted to save or use an app password is at MFA-enrollment. The page explaining its purpose does not succeed in its own, and the password either ends up in a text file, jotted on a sticky note under the keyboard, or just abandoned in place.

Managed properly, app passwords bridge the gap to MFA adoption and are incredibly useful for custom deployment scenarios. The key, as with everything else in IT, is user training.