I have a client who setup email using Outlook, which seems to be all web based. I was able to setup the account, but could not get it to work in Apple Mail. I tried both “other” and “exchange”.
Today I try to log in and it wants me to install an Authenticator App on my phone. Not doing it.
What are my other options besides telling this lady I’m no longer using this email (probably also not an option)
Thanks
Diane
I can’t comment on Outlook at all, but what’s the problem with installing an authenticator app? There are lots like Authy, 1Password, Google Authenticator, and so on. There’s nothing wrong with them.
I have an original SE without much space left. I’m still on iOS 12 and I’ve found many new installs to require iOS 13 or later.
And this is something I will always do on the web. I already hate 2-factor authentication but at least a text will come into my laptop. The last thing I want is more MS or Google on my phone.
The wording makes me feel it’s a setting someone turned on so hopefully they can turn it off.
And I’m still hoping to get it into Mail because honestly, I completely forget to check webmail regularly. :-/
BTW thanks for getting me up and running again! 
Diane
There are third party apps you can use, the algorithm came from google but it is open sourced so there many different vendors - Authy is cross platform and you can have it on all your devices as a single source of 2FA. Others are similar, the google app is definitely a basic implementation.
2FA off an app is far more secure than SMS based 2FA fwiw.
Text message based two factor authentication is generally not recommended. I generally think most of us are safe from this, but the reason is that there is something called SIM-jacking, where someone will basically steal your mobile phone number and can intercept the text messages when they try to break into an account that uses text-based two factor.
Tidbits had a great article about this a couple of years ago:
Linked in that article:
And here is another:
The Authenticator apps using time-based tokens are far better and more secure and cannot be intercepted in this way at least. And here is an even older article on Tidbits explains how Authy works:
I will read those! After the first.
How do I get around this? Is Authy the only one that I can install on my machine? I hate hate hate installing little things randomly. Already had to install Rapport to access a bank account for a client.
More importantly, how do I get this silly account to download into Apple Mail? I couldn’t get it setup at all. Outlook has never been anywhere on my list of preferred email, app or web. Having to add more things to check an email account a few times a month just gets my blood boiling lol
It’s apparently Godaddy using Outlook. I have them on my list to call as well.
Thanks again!
Diane
Authy isn’t the only such app, but it is a popular one. (I personally use Google Authenticator for this).
Once the app is installed, you set up authenticator code-based authentication using some page run by the web service. It will present you a “key” code number, often accompanied by a QR code which you can use for easier installation.
You then run the authenticator app and tap the button to add a new service. You then should have buttons to either manually enter the information (for Google Authenticator, this is the name of the account, the key code and a selection for time-based or counter-based codes) or to read the QR code with your phone’s camera (which will provide the same information). Use either one to set up the service.
And your done. On the app’s main screen, at least for time-based codes, you should see a list of configured accounts and a 6-digit code number associated with each one. The numbers change every 60 seconds or so and remain valid for the 60 seconds for which they are visible (and probably a little bit of slack, because clocks may not be 100% synchronized).
I’ve never used them with counter-based codes, so I’m not sure what that looks like, but typically counter-based systems don’t show anything until you tap a button to get a code, which can only be used once. When you request another code, you’ll get a different one.
This article has a pretty good description:
The nice thing is that the algorithm is an industry standard, so any app should work for any service. The thing that creates the security is the key value you use to set up each service. Anyone with the same key can replicate the sequence of codes, so you shouldn’t print or save the key after configuring your authenticator app. You should be able to generate new keys in the future if you need to set up a new app.
I know exactly how you feel. To me, the minimum amount of apps I absolutely need to have installed is the ideal number. Life is a lot easier (and I believe more pleasant) if you keep distractions at bay and make your surroundings calm and simple so you can truly focus on what is important and pleasurable. All these people having trouble to sleep, requiring apps to tell them when to take a break, or apps that shush the notifications from all their other apps are a testament to that. Some people are professional writers and testers that need to install a whole bunch of stuff to report to the rest of us. Thank you to them. The rest of us are at liberty not to install a plethora of gizmos. I have started leading a much more pleasant life after I realized I should make use of that liberty. So now, unless I know exactly what a gizmo, service, or app does for me, or I know it brings me joy (to use Marie Condo’s words), it’s gone. On my Macs, on my iPhone, even on my iPad.
Those that caution you about SMS 2FA make a valid point however. At least in the US “SIM jacking” appears to be a real problem. In principle the fix would be very simple: you just tell your phone company that unless you are standing physically in one of their stores and showing them two pieces of government photo ID to prove you are actually you, they may not transfer your phone number to another SIM. Period. Of course in the US we don’t have that option, your chances of successfully suing eg. T-Mobile for damages due to ID theft without a million $ legal war chest are basically zero. Add to that that most people in this vast land would have trouble actually producing two pieces of government issued photo ID. We choose to be very sloppy with our personal data, we choose to rely on silly authentication schemes involving the last four digits of our social, our publicly known ZIP codes, utility bills, or plentifully published mothers’ maiden names, we let companies handle our data in sloppy manners (where damages for even egregious violations are usually laughably low). Coupled with the fact that we don’t have a simple national ID (like BankID in Scandinavia or Personalausweis in Germany) results basically in the status quo. If a crafty bad actor has enough of your data, he will eventually get a carrier to believe he is you. He will get them to issue him a SIM they believe now belongs to you and hence they will connect it to your phone number. From then on, in terms of SMS 2FA he is you and you will have one hell of a time undoing his mess.
I don’t know the minimum system requirements of all the possibilities, but Authy is very good and works with iOS 11 and later, so it should be fine. It syncs across multiple devices and you won’t lose your codes if you upgrade your phone, as was true for at least an earlier version of Google Authenticator. 1Password is always recommended too (see 1Password and 2FA) and works with iOS 12.2 and later, but requires a subscription.
Using an example key (from Google’s documentation: Key Uri Format · google/google-authenticator Wiki · GitHub), I was able to install a counter-based code in Google Authenticator.
It shows a 6 digit number like all the rest, but it doesn’t time-out. It remains unchanged until you tap an icon to generate its next code. Pretty easy to figure out.
I have 1Password which is both my password manager and can also handle 2FA authentication. Most of the time, it’ll automatically paste the 2FA code in the right field. When it doesn’t, the 2FA code is in the clipboard.
There’s a 1Password app for the Mac too. You can just use the Mac version if you’d like.
A password manager is a must. It’ll generate random unguessable passwords, it protects you against phishing attacks, warn you of duplicate passwords, warn you when one of your sites have been breached and a good one integrates into your web browser.
As to getting the mail from the account connected to your Apple mail, if two factor is switched on, then you probably need to set up a special app-specific password on the Outlook account. You can’t use the regular password and an Authenticator app if you’re not using one of the latest versions of iOS.
(I think you can still set up a app specific password on GoDaddy hosted Exchange. Some of the installations require you to use the modern login protocols and they won’t work even with the specially configured password.)
Great Nick - thanks! I am going to try and call their support tomorrow.
Neither my phone nor computer have the latest OS versions.
When the lady who set this up talked to support, he had said I should be able to set up Mail using Exchange, so I’m hoping he can walk me through it and figure out where I went wrong.
All I know is this is way too much work for an email I only need to check a couple of times a month.
Diane
Where I work, they are using some extra authentication security settings that only allow the Microsoft Outlook app to work—Apple Mail, Apple Calendar etc are no longer options for desktop or phone. I’ve been just using the browser-based version on my personally-owned devices, and using Outlook on the phone and laptop owned by my employer.
So, depending on how it’s set up, Apple Mail might not be an option at all.
Sigh… Even though Active Directory is a massive attack vector, CIOs and IT departments continue to trust Microsoft to the exclusion of things that actually have -much better track records-.
I do NOT miss Corporate IT (or Corporate HR) at all!
Take me with you!
These people would buy a nuclear-powered cream separator if Microsoft made one.
This is direct through Godaddy, no external IT thankfully! So I hope it’s not that bad, and he even told the lady who called for me that it should be able to work with Mail.
I won’t be able to call support till next week.
And I don’t miss IT either!
Diane
I spent over 3.5 hours on the phone with Godaddy last night. Guess it really matters who you talk to. Last week they said it’s a Microsoft security thing which can’t be turned off.
The guy I got last night said “What?! That isn’t supposed to be turned on unless your organization requests it”. And off it went.
The security issue was the reason I couldn’t set it up in Apple Mail. Turned that off and all was well.
Nearly half a work day spent on the phone, mostly on hold. Insanity.
Diane
Hmmm of those three, I’d stay away from Google Authenticator since Google’s primary aim in all things is to harvest the personal data of those who use their applications. I have used 1Password to manage my passwords since 2008 but hadn’t looked at this option; I’ll have to check it out.
BTW, a lot of websites will give you the option to receive a phone call with the authentication code.
I agree with you on Google just out of principle. And the only option with that security feature turned on was for an app. When I started getting notices that I’d need to setup higher security I assumed it would be a call or texting to an alternate device (which would be my phone) but that wasn’t the case.
Just glad that’s off my plate now!
Diane