Microsoft gives green light and begins rolling out 2-step Authentication for Accounts


Microsoft has announced on its official blog that a major upgrade will be rolled out for its account system, including optional two-step verification. We've lightly touched on this added layer of security recently, as well as looking at the Authenticator app that's available for Windows Phone.

The Microsoft Account is the backbone for all platforms the company developers, including Outlook.com, Windows and Windows Phone. We've gone into some detail about the account and why it's certainly worth the time creating one. This added security will help provide peace of mind to those who have fears about using simple passwords.

Consumers can choose to enrol in the optional upgrade, which will protect the entire account with two-step verification, regardless of what service or device is currently being used. Here's how you can get started:

  1. Head on over to https://account.live.com/proofs/Manage (note you'll have to wait until your account supports the new authentication before the option is available) and set up two-step authentication.
  2. Download the Authenticator app for Windows Phone and pair it with the Microsoft Account. You're pretty much good to go once it's activated.

If you're familiar with the Gmail setup, the Authenticator app basically acts as the passcode generator. This is much more efficient than delivery via SMS, particularly if you're in a location with terrible coverage or abroad. Some services and devices don't directly support the verification (including Xbox and setting up email on a smartphone), but help is at hand to get set up correctly.

Microsoft 2-step Authentication

On devices used regularly, consumers can select an option to not ask for security codes, making the verification almost painless. A code is used once and is subsequently remembered, unless the device isn't used for 60 days. After that period, a code will need to be entered again.

The only issue with the new two-step verification is that details must be kept up-to-date. If you change your number or email, be sure to amend the account before using the new identities. Do note that should you know your password but lose access to the secondary security proof, the only option is to go through a recovery process that enforces a 30 day wait before access can be regained. If you forget both, you're pretty much done for unfortunately.

Be sure to check out your Microsoft Account for more information as the verification measure rolls out. You can download the Authenticator app from the Windows Phone Store for use when Microsoft rolls out the update to you. See the official blog post for more details.

Source: Microsoft Blog

QR: Authenticator



There are 30 comments. Sign in to comment

Aaron M says:

Finally!  Thank you MS.  This is one area where I always had to give Google credit for.  It may be a pain to have to enter in codes, but its worth the added security.

link68759 says:

I just got the app and have been trying to add two step to every account I have that supports it.

The majority of them just use SMS, which seems stupid to me. Two factor auth is supposed to increase security; if I happen to leave my phone next to my laptop when I go to the bathroom, the SMS will display the key without anyone having to even unlock my phone!

Two step should require you retrieve the key via app, not just... Send one to you. Security is never convenient.

Aaron M says:

I wouldn't call the SMS implementation stupid.  I'm not worried about someone stealing my password, following me to work, and using my phone while I'm in the bathroom to log onto my Microsoft account.  I'm worried about the dick from some other country who somehow cracks my password.  But I'll still check out this authenticator app though and see what it does differently than SMS.

MDboyz says:

But they also need to have your password to get in.  You also need to be responsible for your items.  Put password to lock your phone then.

MrSean490 says:

I know what you mean: there should be a way to disable SMS preview for many other security / privacy reason

lippidp says:

LOL! Anyone that leaves his phone to go to the bathroom doesn't really understand security. The first rule of security is guarding against physical access to the device. Once physical access to the device is breached then all other safeguards are rendered useless to a skilled, determined thief.

derDaniel says:

Can someone shortly explain how this App works. I just don't get it
How is it verficated

Shippin says:

Waiting for my account to get it, I've been waiting for two step verification for awhile. Glad they are going with an authenticator!

carlosrdd says:

I hope this is optional I understand security but for average user this is a pain...

Aaron M says:

It will be optional.

Candide yams says:

Of course it's optional. It's an option to make your password hello123 too. It's for those of us who want added security. 

fwaits says:

Optional.  If you don't configure the account as noted above to use 2-step auth, then you don't have it active.  Keep this in mind though, you can add 'trusted devices' to the list such as your home PC or laptop and any other very frequently used devices that you feel safe about and when you log in via those, it will not require you to use the secondary code authentication, but if anyone else anywhere else does, the prompt will come up.  That should eliminate most of the prompts for you in the bulk of your use cases, but still protect you from hacking and such from any other device.

I noticed this this morning. Thought it was an option I'd missed that had been there! Set it up then read on the verge (I know, I know) that it was a new feature. Glad to have it.

bjd223 says:

Finally. I have been waiting for this for while.

MS has also enabled alias sign-in (I haven't been able to get it to work yet, but I'm sure it is coming). Do you guys think this might mean we can add that to our WPs so we can email from the alias? That would be awesome:)

Zyr says:

This is excellent news. The lack of 2FA was the one thing that kept me tied to my gmail/google apps accounts. Looks like I'll be switching my gmail + looking into switching my domain to outlook now!

silverdoe says:

Battle.net has its own Authenticator, but Steam still sends email, sometimes takes ages to arrive, need this A
SAP. It has the most valuable contents anyway. A freaking Steam app would be welcomed, too!

Odog4ever says:

I'm sure their are interns in the WPCentral community that will volunteer to proofread blog posts BEFORE they go live on the site...

jaethos says:

My account doesn't have the option yet, but when I went to update my address on my account it made me do it anyway, by sending an email to my alt account with a code.

zigzagr63 says:

Ok... Maybe I'm stupid here. I downloaded this app and I can't figure out how to sync my account to it. I'm lost......

pdaneophyte says:

And Microsoft forces us to put our contacts list on the cloud too... No thank you, bring back the old Activesync from WM days please and let me sync locally to Outlook on my computer. My data, I'll keep close to me. Security rule no 1, physical possession is 90% of the ownership.

John20212 says:

Can you set up the same WP (authenticator app) with more than one MS account?

Cirga says:

"Do note that should you know your password but lose access to the secondary security proof, the only option is to go through a recovery process that enforces a 30 day wait before access can be regained."

So if I use this app, and I lose my phone, or it gets bricked somehow, or has to have a hard reset, then the only way to access my account is to contact MS and wait 30 days and subsequently not be able to set up a replacement phone until he authenticator is removed? I don't know about anyone else, but I can't afford to not have my phone for that long. MS should allow you to have some other means of removing the authenticator, maybe something SMS based like Blizzard’s SMS protect, or maybe you can specify a dedicated land line that if you call from you can remove the authenticator.  

DalekSnare says:

2FA doesn't seem to work with Windows Phone 7.8. I had to disable it again to download apps. When I enabled it and then tried to download the authentication app, my phone told me I could no longer access my account.

Zodman says:

I had exactly the same problem, but it wasn't too difficult to resolve:

  1. On a PC, login to live and get a new app password following instructions here
  2. On your WP7.8, go to Settings | email + accounts | Windoww Live
  3. Enter the app password from your PC in the password field and select OK
  4. Synchronise

Now you can go back to the authenticator app (or any other app for that matter) and download.

Corepc says:

Authenticator app updated to no details

pepsijosh says:

I got this error =(

Can't turn on two-step verification
Before you can turn on two-step verification, you need to unlink your linked Microsoft accounts

afrostyle126 says:

When downloading an app from the store on windows phone 8 there's an error signing into the microsoft account when two step verification is on

m0unds says:

it needs some work - my skydrive account randomly disconnected on my phone (920), and it wouldn't accept an app password. it needed me to use the regular account password and then a second factor source (e.g. authenticator app, email, etc). when i switched over to authenticator, it wiped out the credentials from the sign in page, i had to enter them again and by then, the code had expired. they need to make their own services accept app password like google does for android devices w/2-factor auth enabled.

kirlam says:

I've found the same pain. ... And finally after getting in and getting all the passwords correct my SkyDrive won't download any files to my phone. It just keeps saying in cant download. It asks me if I want to open in the web browser. If I click yes  the phone flicks to the browser starts to open a link that triggers it to flick back to the skydrive app and tell me again it can't download. This is a screw up. Think ill be taking two factor authentication of my account until they can get it right.