Tip: Secure Your Microsoft Account with Two-Step Verification

Posted on January 26, 2017 by Paul Thurrott in Microsoft Consumer Services with 13 Comments

Tip: Secure Your Microsoft Account with Two-Step Verification

Don’t let the shit hit the fan. Configure 2FA for your MSA.

If you’re using a Microsoft account (MSA), you need to secure it with two-step verification. And then use an authenticator app to make it painless.

I discussed this and other Microsoft account security features recently in First Steps: The Proper Care and Feeding of Your Microsoft Account. If you haven’t, please read that article now, paying particular attention to the “Review and edit MSA security features.”

Note: Two-step verification is basically Microsoft’s name for two-factor authentication (2FA). While they are not technically the same, for purposes of this discussion, these terms are interchangeable.

Here’s how to enable 2FA for your MSA.

Open a web browser on your PC, navigate to the Microsoft account website at account.microsoft.com, and sign-in as required. Then, select Security from the menu at the top.

From the Security page, select “more security options”. On this Additional Security Options page, you will see a section called Two-Step Verification. Select the link “Set up two-step verification.”

This launches a web-based wizard which will help you enable 2FA and warn about the the older devices, apps, and services (Windows Phone 8-based phones, Xbox 360 and a few other older things) that do not support 2FA and will thus require an app password (which you can generate on the fly from the Microsoft account website).

By default, 2FA will rely on whatever security info you configured for your MSA. That is, you can choose to approve sign-ins via whatever configured email address(es) or phone numbers (via text messaging) you have listed under the “Security info helps keep your account secure” section on the MSA Security Settings page.

But there is a better way.

Instead of relying on emails or text messages, you can approve sign-ins using an authenticator app on your phone. Your MSA will work with virtually any high-quality authenticator app—like the versions from Google and LastPass—but I strongly recommend using Microsoft Authenticator, which is available on Android, iPhone, and Windows phones.  Why? Because this app offers a much easier way to approve sign-ins than other authenticator apps.

To configure an authenticator app, locate the “Identity Verification Apps” section on the MSA Security Settings page. Then, select the link “Set up identity verification app.”

This launches a web-based wizard which first prompts you for the type of phone you’re using: Windows Phone, Android, iPhone, or Other. Then it will prompt you to install the Microsoft Authenticator app (which you should, though again you can use other authenticator apps too).

Now, open the authenticator app on your phone. (I will assume you’re using Microsoft Authenticator, but the steps are similar for other apps.) Tap the “+” button in the top right of the app and then select “Personal account” from the account type list. Then, sign-in to your Microsoft account.

Note that you’ll need to approve this sign-in using a method (email, text message) that was previously configured this one time. Once you do so, your Microsoft account will appear in the list of accounts in the app’s main view.

You will need to use the authenticator app when you sign-in with your MSA account on a new device, web browser, or similar. And then you will need to re-authenticate every month or so. With the Microsoft Authenticator app, you can simply approve requests directly from the phone, which is much simpler than the old way: You’ll see a pop-up notification that you can approve.

(With other authenticator apps or with other account types, you can type in the code that is generated by the app for each account. There is a new code generated every 30 seconds.)

And now you’re good to go: With 2FA configured on your MSA and by using an authenticator app on your phone, you have the best of both worlds: Better security and great usability. And if you don’t have your phone with you at some point, you can still use those other methods to authenticate sign-ins as a backup.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (13)

13 responses to “Tip: Secure Your Microsoft Account with Two-Step Verification”

  1. 545


    Are there any gotchas going from the old Windows Phone Authenticator to the newer version that supports push approvals?


    • 5428

      In reply to Sarge:

      I need to know this as well.  I tried to switch and it got tangled up.  Seems part of the process thought it was done and another part of the process thought it wasn't.  Anybody succeeded in making this switch with a Windows Phone (Win10 Mobile 14393.x)

  2. 5101

    "older devices, apps, and services (Windows Phone 8-based phones, Xbox 360 and a few other older things) that do not support 2FA and will thus require an app password"

    To this list of ancient technologies you can also add Outlook 2016


    Also not sure why you can't enable this for sign in to Windows 10 itself.

    • 5639

      In reply to evancox10:

      Does 2factor really gain you anything if you have to use an app password?

      seems like the weak point becomes the single factor app password.  


      • 5101

        In reply to red.radar:


        You misunderstood me I think, I mean using 2FA for logging into Windows, not app passwords.

      • 1146

        In reply to red.radar:

        App passwords cannot be used for interactive logins, cannot be selected by the user (good length and complexity) and once set can only be revoked. 

        Btw Outlook 2016 works fine without an App password. 

        Also btw you can AzureAD Join windows 10 PCs for 2FA sign in with E series O365 plans.



      • 313

        In reply to red.radar:
        App Passwords are usually something you have to enter only once, and are long and complex enough that they won't be easily brute forced.  You can also revoke them at anytime  I find the solution acceptable for specific things that don't support proper 2FA.


  3. 442

    Two-Step everything that you can.  If you can't, call that company and ask "WHY NOT??!!" :)

  4. 5538

    Would be nice to add an optional layer of security maybe so they can add more features to the Authenticator app. Say allow a pin/bio login to get into it, so you can maybe just generate app passwords that way. The current way of getting app passwords is extremely cumbersome, and hidden deep in your Microsoft account security settings. 

  5. 4125

    For everyone doing this, be sure to print out the emergency recovery keys and keep them at a safe location. Should your phone you use as a token ever get stolen or lost, you can use these codes to regain access to your account.

  6. 8547

    CAUTION - I received a notice from Microsoft that in order to complete the migration to the "new" Outlook.com I had to reconnect Outlook 2016.  (I.e. remove and re-add the Outlook.com account to Outlook 2016)  I did this, but was unable to re-add the Outlook.com account.  With 2FA turned on, I could not log in with either my Microsoft Account password or an App Password.  The only way I could re-add the Outlook.com account was to turn off 2FA.  This appears to be a known problem, since there was a workaround cited in the Microsoft instructions, but the workaround (using an App Password) didn't work.



  7. 4610

    I'd really love to do this. Problem is, I use a Nexus 6P and Outlook for Android won't sync my contacts properly (I can't add or edit contacts and they randomly disappear). So I have to use Nine, which doesn't handle 2FA. 


    Really sucks, as I use outlook.com and OneDrive for almost exclusively.

  8. 2849

    I set this up and was disappointed to learn that Office Lens doesn't support MFA.  I normally have Office Lens saving whiteboards/etc. to a OneNote notebook stored in OneDrive (for consumers).

    We have MFA configured for our corporate Office 365 tenant, so I can't save the output from Office Lens to my OneDrive for Business either.