Asynchronous multi-factor authentication
Multi-factor authentication is an ever more popular security addition to traditional password-only methods. However, the way it's implemented in O365 disrupts standards and makes it impossible to use clients like apps for Android or Thunderbird.
A solution to this would be 'asynchronous MFA':
- The client attempts traditional IMAP authentication (or equivalent for other protocols, eg, iCal, SMTP)
- it fails a first time, but, at the same time, O365 servers send a notification to the user (eg, secondary email, SMS, dedicated app) to tell him/her that he/she must go to a given URL and provide the second factor (the usual code coming from the authentication app/SMS/email). Or, a code could be given directly with the URL in such notification.
- User goes ahead and logins to O365 (via web, via app, via some dedicated app), via password + 2nd factor code. From now on, we temporarily go back to password-only authentication, for, let's say 1hr, 1day, a configurable time.
- Any traditional client is able to work as usually (ie, with password-only auth) for a while.
An alternative (or I should say an additional option) could be that the user logins into O365 (eg, via web) and says that the new session is valid for a while (again, 30min, 1day, depending on configuration). The session will be valid for any client (as long as they use at least the account password).
That wouldn't add much security concerns and would be kind to standard protocols and clients using them.