Keep your Microsoft account safer with two-factor authentication

Your Microsoft account is the gateway to too many critical services to secure with a simple password.

If you use Microsoft services like SkyDrive, webmail, or Xbox Live, you have a Microsoft account. If you have a Microsoft account, you might use it to store personal information that you wouldn't want hackers to be able to get at. You know, credit cards and tax returns and such. Turning on two-factor authentication can help keep would-be data thieves out, and your secrets secret.

Two-factor authentication--which Microsoft accurately calls two-step authentication--is based on a simple premise: It requires you to enter a single-use security code in addition to your username and password when you log in. This can help keep bad guys out of your account, even if they get ahold of your account name and password.

Set up two-step authentication in two easy steps

To start, log into your Microsoft account by visiting and entering your username and password as instructed. Once you're logged in, select Security Info from the list on the left-hand side of your browser window.

Microsoft may ask you to verify your identity by sending a security code to you via text message or phone call (if you provided a cellphone number when you set up your account), or via the email address associated with your account. Select the option you prefer from the list and press Next, then enter this code on the next screen and press Submit. You now have access to your security settings--and you just got a taste of what to expect from two-factor authentication.

Now that you're on the Security info screen, look for the Two-step verification heading and click the link labelled Set up two-step verification: Microsoft will begin to step you through the process.

Once you click through the next screen--which gives you an overview of the process--Microsoft will recommend that you download an authenticator app for your smartphone. Unlike text messages, an authenticator app will work in an area where you have a Wi-Fi connection but no cell coverage. Follow the instructions on screen, then click Pair.

If you don't want to go hunt down a decent authenticator app (I don't blame you) press Skip: Just be aware that you might have trouble getting into your account if you're ever in a dead zon and can't receive calls or texts.

Microsoft will make sure it has another way to contact you on file if all else fails--by default, it will show you the email address that's associated with your account. Confirm it and press Next, and Microsoft will send you a security code to that email address. Type or paste it in when prompted, then press Next again.

App passwords: A password for your password

At this point, two-step authentication is set up and ready to go. This only transitions us into the world of app passwords: specialized passwords generated specifically for use with apps that don't support Microsoft's two-step authentication. If you use email on your non-Windows smartphone, you will need to generate an app password that will work with your email client of choice. Select your smartphone from the list if this applies to you; otherwise, press Next.

On the next screen, Microsoft will helpfully tell you that you may need to set up app passwords for other apps and services that rely on your Microsoft account. Read this page and click Finish to move on.

To create an app password, go to the Security info page and click the Create a new app password link under the App passwords heading. Jot down the password it generates, and enter that into whichever app you need it for. Each app needs its own app password, so if you need more, click Create another app password to your heart's content.

Join the CSO newsletter!

Error: Please check your email address.

Tags Web & socialMicrosoftsecurity

More about MicrosoftXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nick Mediati

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts