To protect user accounts from being hacked, phished, social engineered or stolen by other means, companies and businesses from all over the world have started to deploy a technology that is commonly referred to as two-factor authentication. This adds a second layer of authentication to user accounts so that it is no longer enough to just have access to an user's username and password to access the account. The second layer is usually a code that is generated in realtime using a device or application that is in the user's possession.
Most companies seem to favor apps that users can run on their smartphone while some will use local devices that generate codes on demand or messages that are sent to the user's mobile phone or email address during the log in process.
Microsoft announced the roll-out of an upgrade to Microsoft accounts just a couple of minutes ago that enables Microsoft users from all over the world to enable two-step authentication for their accounts to improve their account's security. The feature will be rolled out over the next couple of days. You can check the Security Info page after logging in to your Microsoft account to see if your account has already been enabled for the feature.
If you enable two-factor verification (it is just another phrase for the same thing), it will be enabled for all of the services that are linked to it. Microsoft previously used two-step authentication for sensitive account related changes only, like editing credit card information or subscription information.
The Security info page offers a short description of the new security feature and links to learn more about it and set it up.
Two-step verification makes it harder for a hacker to sign in to your account with just a stolen password. Set it up to help keep your account more secure.
You need to have two security information on file, an email address and mobile phone number for instance to use the two-step verification process. Windows Phone users can download and install the Microsoft Authenticator App to generate the codes needed for the second verification step. Microsoft notes that most authenticator apps for other platforms are compatible with Microsoft's two-step verification but fails to recommend any.
It appears that the security feature not only supports the generation of codes using applications, but also via text messaging and apparently even phone calls. The benefit of using an app is that it is free of charge and available locally even if no Internet connection is available.
While many Microsoft programs and services support two-step authentication processes some do not. You need to generate so called app passwords for those services that you use instead. This is similar to Google's app password feature where you can create single-step authentication passwords for devices that are not compatible with the authentication method yet.
The trusted devices list received new functionality in this regard as well. Microsoft can remember devices that you use regularly so that you do not have to enter the security code on every log in to the system. Permissions can be revoked at any time on the security settings page of your Microsoft Account (use the link above pointing to the Security Info page to get there.
What happens if you cannot access the device or account anymore that generates or receives the security codes? The only option in this case according to Microsoft is to go through a recovery process that enforces a 30 day wait period on you before access to the account can be regained. This is done to prevent hackers and malicious users from taking over the account using the feature. If you can't remember the password and do not have access to your security information anymore, you cannot regain access to the account.
Adding two-step verification to Microsoft accounts is a step in the right direction and it is highly recommended to enable it as soon as the feature becomes available. You do need to make sure that your information, email and phone number, are always up to date so that you will never run into recovery issues if the need arises.
Update: Here is the walkthrough that explains how you set up two-step verification for your Microsoft Account:
- Open the Security Info page on the Microsoft Account website.
- You may need to use one of the verified communication options to receive a code that you need to enter before you can access the page.
- Make sure you have two means of verification, a phone number and email, or authenticator app for instance, set up.
- Click on Set up two-step verification.
- The next page offers information about the security concept that you should read through before you continue.
Set up two-step verification
Two-step verification adds an extra layer of protection to your account. When you sign in with your password, you'll need to enter an additional security code that we provide only to you.
Some apps don't work with these security codes (the mail app on your phone, for example). When you're done setting up, we'll help you get your apps working again.
- Two-step verification will be enabled when you click on the next button.
You're done! Two-step verification is turned on.
From now on, we'll ask you for an additional security code when you sign in.
Some apps and devices don't support security codes. If you get an incorrect password error in any of your apps (such as the mail app on your phone), you'll need to create an app password to sign in.
If you use a smartphone, consider setting up an authenticator app to get security codes even when you have no mobile phone coverage.
- You may want to configure app passwords on the main page afterwards so that you can use the passwords in programs and on devices that do not support two-factor authentication yet.
- Click on create a new app password to get started. The app password is automatically created by Microsoft and displayed on the screen. You can create multiple app passwords and also remove them again.
- You can also add new alternate email addresses or phone numbers to the account for additional verification options.
- Here you can also set up an application that you can run on a smartphone that you own. Microsoft has created an app for Windows Phone but not for other phones. If you are using Android, you can use Google's Authenticator app to scan the barcode to pair the device with the account.
That's how you set up the second layer of security for your account. To turn it off again, open the Security info page again and click on the "turn off two-step verification link" displayed on it.