Outlook for iOS Authentication – Deeper dive

Lets look a little deeper into the Security mechanism behind Outlook for iOS, and I believe alot of the Buzz during the last days could have been avoided.

Microsoft addresses this issue, because an iOS Device will terminate the Application trying to run in the background, after 10 minutes. Making the app unable to check for updates and give us Push Notifications.

There are two sets of authentication mechanism, one being Oauth which provides Microsoft a way to access Our data without ever knowing Our password. This is supported by Outlook.com, OneDrive, Dropbox and Gmail.

But Exchange Active Sync (Yahoo and iCloud) doesn’t support Oauth yet, so Microsoft needs to handle this differently naturally.

When we login to Exchange, our credentials need to be transfered in order for us to be authorized access and for the Outlook App to continue this in the background on iOS Devices, a Backend Cloud Service needs authorization to access it aswell.

Microsoft therefore encrypt our credentials with a unique key specific for each device and stores it safely. Even more safely when this Backend Cloud Services is migrate to Azure and will have same Security as Office 365.

As long as the Device is Online, it will need to run periodically HELO With the Backend Cloud Service, in order to stay alive and gain Push Notification. But if the Device remains inactive (shutdown), the Outlook’s Backend Cloud Service will flush the password and lose access until next time it is online and starts synchronization.

This creates a multi-factor authentication, because in order to access this we would need access to your physical device and the cloud service in order to hack the system.

Leave a Reply


I am Roy Apalnes, a Microsoft Cloud Evangelist working av Sopra Steria. Main focus in Microsoft Security and Endpoint Management, with a bigger picture in mind.

Featured Posts