To protect user accounts from being hacked, phished, social engineered or stolen by other means, companies and businesses from all over the world have started to deploy a technology that is commonly referred to as two-factor authentication.
This adds a second layer of authentication to user accounts so that it is no longer enough to just have access to an user's username and password to access the account. The second layer is usually a code that is generated in realtime using a device or application that is in the user's possession.
Most companies seem to favor apps that users can run on their smartphone while some will use local devices that generate codes on demand or messages that are sent to the user's mobile phone or email address during the log in process.
Microsoft announced the roll-out of an upgrade to Microsoft accounts just a couple of minutes ago that enables Microsoft users from all over the world to enable two-step authentication for their accounts to improve their account's security. The feature will be rolled out over the next couple of days. You can check the Security Info page after logging in to your Microsoft account to see if the feature has been enabled for your account already.
Update: Feature is available to all Microsoft Account users now. The design of the website has changed in the meantime as well. We have updated the information below to reflect the change.
If you enable two-factor verification (it is just another phrase for the same thing), it will be enabled for all of the services that are linked to it. Microsoft previously used two-step authentication for sensitive account related changes only, like editing credit card information or subscription information.
The Security info page offers a short description of the new security feature and links to learn more about it and set it up.
Two-step verification
Two-step verification makes it harder for a hacker to sign in to your account with just a stolen password. Set it up to help keep your account more secure.
You need to have two security information on file, an email address and mobile phone number for instance to use the two-step verification process.
Smartphone users on Android can download and install the Microsoft Authenticator App to generate the codes needed for the second verification step. Microsoft notes that most authenticator apps for other platforms are compatible with Microsoft's two-step verification but fails to recommend any.
It appears that the two-step verification security feature not only supports the generation of codes using applications, but also via text messaging and apparently even phone calls. The benefit of using an app is that it is free of charge and available locally even if no Internet connection is available.
While many Microsoft programs and services support two-step authentication processes some do not.
You need to generate so called app passwords for those services that you use instead. This is similar to Google's app password feature where you can create single-step authentication passwords for devices that are not compatible with the authentication method yet.
The trusted devices list received new functionality in this regard as well. Microsoft can remember devices that you use regularly so that you do not have to enter the security code on every log in to the system. Permissions can be revoked at any time on the security settings page of your Microsoft Account (use the link above pointing to the Security Info page to get there.
What happens if you cannot access the device or account anymore that generates or receives the security codes? The only option in this case according to Microsoft is to go through a recovery process that enforces a 30 day wait period on you before access to the account can be regained. This is done to prevent hackers and malicious users from taking over the account using the feature. If you can't remember the password and do not have access to your security information anymore, you cannot regain access to the account.
Adding two-step verification to Microsoft accounts is a step in the right direction and it is highly recommended to enable it as soon as the feature becomes available. You do need to make sure that your information, email and phone number, are always up to date so that you will never run into recovery issues if the need arises.
Update: Here is the walk through that explains how you set up two-step verification for your Microsoft Account:
Set up two-step verificationTwo-step verification adds an extra layer of protection to your account. When you sign in with your password, you'll need to enter an additional security code that we provide only to you.
Some apps don't work with these security codes (the mail app on your phone, for example). When you're done setting up, we'll help you get your apps working again.
You're done! Two-step verification is turned on.From now on, we'll ask you for an additional security code when you sign in.
Some apps and devices don't support security codes. If you get an incorrect password error in any of your apps (such as the mail app on your phone), you'll need to create an app password to sign in.
If you use a smartphone, consider setting up an authenticator app to get security codes even when you have no mobile phone coverage.
That's how you set up the second layer of security for your account. To turn it off again, open the Security info page again and click on the "turn off two-step verification link" displayed on it.
The following links are important when it comes to managing your Microsoft Account security:
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
What will happen to one time password to the phone feature
I wonder how this might affect accessing a Microsoft account through Outlook.
Will it continually prompt for a password or is this 2-step compatible as of now.
I don’t have that option yet. Guess they are rolling out in stages?
IS THIS COMPATIBLE WITH my MOTOROLA A455
From this article: “What happens if you cannot access the device or account anymore that generates or receives the security codes? The only option in this case according to Microsoft is to go through a recovery process that enforces a 30 day wait period on you before access to the account can be regained.”
To err is human applies to most of us, including me. To have to wait 30 days seems to be a risky requirement to adopt.