OME One-Time Passcode should support SMS
Office 365 Message Encryption can be leveraged in case of a delegated inbox scenario. If an encrypted message is sent to a person who's inbox is delegated e.g. to a secretary the delegated has the ability to request a one-time passcode to the delegated inbox and so full access on the OME protected message can be gained.
This scenario could be avoided by sending the one-time passcode using SMS because then the delegated has no access to the one-time passcode.
Jesper Rasmussen commented
We will be going else where for a Secure portal solution. OTP not being side band is a legal no-go in Denmark (see the KRIFA decisions from the Danish Data Protection authorities.
I vote for Mikko's solution. These days using instant-messaging apps is fast, convenient and (can be) secure. Also it eliminates the need for sms bundles.
Maybe sms ntification could be a third option, but sending the code back to the original sender ,ust be available as soon as possible.
Nick Cozzolino commented
Another issue with the with the way it works now is the onetime passcode is sent to their email. This is a problem for people who are trying to open them on a mobile device. Most people click back, which leaves the page where the code has to be entered, to go back to their email. After receiving the code they cannot use it on the page because the session expired when they went back to their email.
Our Legal department blocked usage of OME because of lacking this feature. If an e-mail is send to a wrong recipient there's no way to verify receiver.
Phone call / SMS / MS auth are essential to provide higher degree of identity assurance.
Jesper Rasmussen commented
Crazy stupid not to use side band for OTP. Without this I could never recommend OME no anyone.
I was just testing this in our tenant and I did receive a one time PIN so it looks like this feature may have been implemented.
This should be re-opened. The current distribution of one-time-codes are not secure by design. This proposal would make it more secure.
I fully support this. Current design is not secure.
Dr. Amit K. Maitra commented
I recommend that Azure Information Protection add a secondary method of transmitting the one-time passcode for the recipient to open an encrypted email other than sending it only via email. This way if the intended recipient's email is compromised, s/he might receive the passcode in a safer mode, thereby preventing the hacker to get the passcode from the MS Azure Information Protection system. The current system is not full proof. Actually, it presents a single point failure and the whole purpose of encryption is defeated.
It might be easier and still sufficient to send the code back to the original sender, who'd then have to forward it using an out-of-band method of their choice.
Intercontinental SMS still isn't reliable, anyway, but various instant-messaging applications are, as well as traditional voice or even video call.
Preferably there'd be an option to switch between this and the current mail-only method on a fairly granular level - such as message/ template level based on rules.
Blair lock commented
Would be good to add one time pin via SMS for OME. presently users gets an email to decrypt and encrypted email or document however if mailbox has been compromised, one can access encrypted mail as one time is sent via email.
Michael Wirth commented
Today, the one-time-code is sent to the recipient of an OME-protected e-mail. Sometimes it makes more sense (and can be considered more secure) to give it to the sender instead, who then can decide on how to share it in a secure out-of-band fashion.