Security of one-time passcodes in Office 365 Message Encryption


Following on from an earlier question on the security of Office 365 Message Encryption, I'm still not happy with my understanding of all aspects and hope that someone can enlighten me on the question of one-time passcodes.

Assuming that access to my email account and all storage points (local computer, servers) is not compromised I understand that my emails could still be vulnerable to interception during transmission. Anything sent using O365 message encryption should be safe from this. However, for the recipient, one of the choices for accessing the encrypted message is to request and sign in with a one-time passcode. This passcode is itself sent by email to the same account as the original message. While only valid for 15 minutes, I can't see why anyone in a position to intercept my emails couldn't also intercept the passcode and therefore use it to decrypt the message.

Do my assumptions make sense? Without knowing how one would actually go about intercepting emails I may be completely missing something.

Thanks in advance for your expert advice.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
There's some reason in that, but in practice it doesnt make a lot of difference. If we assume the mail account has been compromised, the attacker can just create/update the Microsoft account as necessary and gain access to the encrypted stuff. If he is able to perform a man in the middle attack, same applies. The only difference will be if the can only get his hands on the incoming traffic, thus is able to get the encrypted message and subsequently, the passcode. But the user needs to specifically request the code in this scenario, and the 15 mins validity also makes it a quite hard.

It would've been nice if we had an option to control whether passcodes are available, I give you that :)
CDauntAuthor Commented:
Hi Vasil,

Thanks for your comment. My question was working on the assumption that neither the sender nor recipient email accounts had in any way been compromised. While that may well be a more common weak point it is at least something over which the user has some level of control, mainly through their behaviour.

In terms of intercepting traffic is this something that will at some point have required local access to a network or system (physically or by Trojan software)? Just trying to get an idea if someone can remotely listen/sniff traffic in and out of Microsoft, Gmail, YahooMail or any other mail service. I'm presuming that you have to be on the path/route of the traffic in some way.

You mention the risk of man in the middle attacks, is this an issue in the O365 encryption solution? My understanding was not.

I'm taking all this to mean that the only pretty much secure solution is still going to be one involving keysharing like via PGP. If you or anyone else has any other suggestions I'd welcome them.

Vasil Michev (MVP)Commented:
NSA can :)

Traffic to/from O365 is encrypted, but anyone with (remote) control over say a switch on the route between the end user and the datacenter can decrypt that traffic. Well not everyone obviously, but it's not something unheard of. Some companies even do it on purpose, to off-load SSL. This is where solutions like OME excel - even if they decrypt the traffic (the mail transfer in this case), the message they will end up is still encrypted and the only way to read it is to authenticate yourself before Microsoft's servers.

In the world we live in, the idea of absolute security is just a myth. But I'd say Microsoft has done a pretty good job with this particular solution. IRM/Azure RMS is another similar technology, you might want to take a look at it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CDauntAuthor Commented:
Many thanks Vasil for your informative answers. The NSA, and any other big brothers and sisters, remains an issue. We're French based and using European MS servers which in theory gives us a little extra protection though the French parliament recently voted a law giving extra powers to its intelligence agencies to "look and listen".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.