Two-Factor Authentication for Exchange 2010 is now possible

Back in 2009 I wrote a blog about the possibility of Microsoft supporting two-factor or multi-factor authentication for some Exchange services. For organizations which require high security, such as the DoD, allowing external access to email requires additional protection. With Exchange 2007 and prior versions there was no easy way (or any way!) to natively support certificate based two-factor authentication for services like Exchange ActiveSync.

To my surprise and great delight, Microsoft just released a lengthy whitepaper on how to enable certificate based two-factor authentication with Exchange 2010 and Microsoft ForeFront TMG or Microsoft Forefront UAG. The table below is directly from their whitepaper and shows you the different authentication scenarios and which product(s) support that scenario.

You will notice though that Outlook Anywhere is missing from this list. So that’s a major bummer! But all is not lost. Microsoft released another whitepaper, Using IPsec to Secure Access to Exchange. By using IPsec you can enforce that only trusted computers can establish a secure connection to your Exchange servers. The whitepaper further states you could consider this a two-factor authentication solution since the certificate is something you have, and you need your password (something you know) to logon to the computer. This also has the added benefit that it works with AutoDiscover, Exchange Web Services, Outlook Anywhere and Outlook Web App.