Add ability to send the One-Time Passcode via SMS and NOT by e-mail
Office 365 Message Encryption can be leveraged in case of a delegated inbox scenario. If an encrypted message is sent to a person who's inbox is delegated e.g. to a secretary the delegated has the ability to request a one-time passcode to the delegated inbox and so full access on the OME protected message can be gained.
This scenario could be avoided by sending the one-time passcode using SMS because then the delegated has no access to the one-time passcode.
Our Legal department blocked usage of OME because of lacking this feature. If an e-mail is send to a wrong recipient there's no way to verify receiver.
Phone call / SMS / MS auth are essential to provide higher degree of identity assurance.
Jesper Rasmussen commented
Crazy stupid not to use side band for OTP. Without this I could never recommend OME no anyone.
Dr. Amit K. Maitra commented
I recommend that Azure Information Protection add a secondary method of transmitting the one-time passcode for the recipient to open an encrypted email other than sending it only via email. This way if the intended recipient's email is compromised, s/he might receive the passcode in a safer mode, thereby preventing the hacker to get the passcode from the MS Azure Information Protection system. The current system is not full proof. Actually, it presents a single point failure and the whole purpose of encryption is defeated.
It might be easier and still sufficient to send the code back to the original sender, who'd then have to forward it using an out-of-band method of their choice.
Intercontinental SMS still isn't reliable, anyway, but various instant-messaging applications are, as well as traditional voice or even video call.
Preferably there'd be an option to switch between this and the current mail-only method on a fairly granular level - such as message/ template level based on rules.