Tip: Protect Your Online Accounts with Two-Factor Authentication

Posted on March 7, 2015 by Paul Thurrott in Outlook.com with 0

While we will all one day move past the inherent insecurity of using crackable passwords to protect our most important online accounts—and the personal information and data they contain—you can take matters into your own hands today. And one of the most obvious things you should do is protect these accounts with two-factor authentication. Here’s how.

Two-factor authentication improves the security of your online account—any Microsoft account, including Hotmail and Outlook.com, Gmail, Dropbox, Twitter and many others—by adding a second “factor” to the authentication process used to prove that you are you. For those consumer-oriented online accounts, the first factor is always your password. The second factor is usually a code generated by a smart phone app, or sent via text message to your smart phone.

The inclusion of your smart phone to the mix is important. A password is something that you know. But your smart phone is something you possess, something that will typically be with you at all times (and will itself be protected by at least a four-digit PIN of its own). The theory here is that, yes, hackers could potentially steal your password, but they won’t also have your smart phone—or other second factor, whatever that may be—so they won’t be able to seize control of your account.

Two-factor authentication sounds great, and virtually all modern software systems that require you to enter account credentials—the Microsoft account sign-in Windows Phone, or Windows 8 or newer, Microsoft and third party mobile apps, and many others—all work seamlessly with this authentication type. But there is of course a downside: when you enable two-factor authentication, you can’t just enter your user name and password. You must also fish out your phone, find the authenticator app or text message, and then enter the code it provides. It’s a bit of a hassle.

Now, you won’t need to enter a code every time you sign-in to a Windows PC or Phone, indeed you generally just do this once. And web sites that accept two-factor authentication will only prompt you occasionally as well. But don’t get comfortable seamlessly accessing your account online as you will need to prove you’re you with that second factor going forward. Security isn’t always pretty or easy. But it is essential.

How you enable two-factor authentication varies from account to account, though how you generate the codes you’ll use going forward is pretty consistent. Here, I’ll look only at adding two-factor authentication—which Microsoft annoyingly calls two-step verification—to your Microsoft account. But the process is similar at Google, Dropbox and other online accounts, and you can and should add this layer of security of all accounts that support it. (And if you have multiple Microsoft accounts as I do, you should add this to each of them as well.)

Install an authenticator app on your smart phone

First, you should install an authenticator app on your smart phone. Technically, you don’t need an app, as Microsoft account can also send codes to your phone via text message. But the app works even if you’re not connected, and it doesn’t use up text messages if you’re not on an unlimited plan. (It also works overseas without accruing an extra charges.) The app also works with multiple accounts, include multiple accounts of the same type.

If you’re using Windows Phone, you want the Microsoft Authenticator app.

iPhone users should grab Google Authenticator.

Android users have a choice.

Yes, you can use Google Authenticator—it looks and works much like the iPhone version, naturally. But Microsoft also offers a unique Microsoft Account app which works a bit differently than the other authenticator apps: Instead of looking at a code in the app and then typing it elsewhere (in whatever interface is requesting the code), the Microsoft Account app on Android will display a notification on your handset whenever a code is requested; you can simply approve or deny it and not worry about typing in codes. Since this is much easier, I recommend using the Microsoft Account app if you’re on Android.

In each case, all you need to do is install the app for now. You will run it for the first time after you set up two-factor authentication on your account.

Enable and configure two-factor authentication on your Microsoft account

Now, navigate to account.microsoft.com (ideally on your PC, but you cannot do this on your smart phone) and sign-in with your password.


Under Security & Privacy, click “Manage advanced security.” On the Protect Your Account screen that appears, you will see a heading called Two-Step Authentication. Click “Set up two-step verification.”


Here, you will choose which type of smart phone you’re using. I’ll assume Windows Phone here, but the instructions work similarly regardless of which platform you’re on.


On your phone, run the authenticator app. Tap the Add app bar button and then tap the Scan app bar button (it looks like a camera) so you can scan the onscreen barcode—yes, by pointing the phone’s camera at your PC’s screen.


Once the barcode is scanned—it’s really quick—the app will start generating codes immediately. The codes reset every minute, so you need to make sure you have enough time to type the current code. But when you’re ready, enter the code into the Microsoft account web page to complete the configuration.

Next, over two more screens you’re prompted to update your smart phone and other devices like the Xbox 360 with something called an app password. This is only needed on older smart phones—like Windows Phone 8 or older—and some web sites or apps that don’t understand two-factor authentication. On such systems, you can use the Microsoft account web site to generate a single-use app password that you will use instead of your regular password. This way, you’re still using two-factor authentication because you will need both factors to sign-in to the Microsoft account web site, which will then be used to generate a unique app password. Those guys think of everything.

Use two-step authentication to sign-in

Going forward, when you are asked to sign-in to your Microsoft account on the web, in apps, in Windows (when setting up a new PC), in Windows Phone (when setting up a new handset) and elsewhere, you will enter your user name and password as always, but will then be asked to enter a code generated by your authenticator app. It will look like so.


Sign-in to your smart phone, open the Authenticator app and type in the code you see that is associated with this account. You’re good to go.

If you’re using the Microsoft Account app on Android, it’s even simpler. When you hit the screen shown above, the app will display a notification like this one. Just tap Accept and you’re good to go.


Next steps: App passwords are your friend

If you’re using this account with a number of older devices—Xbox 360, a Windows Phone handset running Windows Phone 8.0 or older—or other software you may find that you need to sign in again. And that when you do, it won’t accept your normal password. If this ever happens, it’s most likely because the software is incompatible with two-step authentication. So you will need to use an app password instead.

To generate an app password, navigate to account.microsoft.com and sign-in with your password. Then, click “Manage advanced security” under Security & Privacy. On the Protect Your Account screen that appears, you will see a heading called App Passwords. Click “Create a new app password” to do so, and then type that password into whatever was rejecting your normal password.

Next steps: Make sure your Microsoft account is securely configured

Two-step authentication works well enough, but what happens if you need to enter a security code and you don’t have your phone with you? For these circumstances, you should fully configure your Microsoft with security info that Microsoft can use to contact you. This is also found on the Protect Your Account screen (account.microsoft.com and then Manage advanced security” under Security & Privacy).

Under the heading Security Info Helps Keep Your Account Secure, be sure to provide Microsoft with any relevant alternate email addresses and phone numbers (both mobile and land lines). For example, you might use your wife’s smart phone as an alternate verification source (via text message), or your home phone so Microsoft can call and read you the code. The goal here is to have alternate means of generating that second factor security code securely. (And for Microsoft to be able to reach you regardless.) You can also configure each item to receive (or not receive) security alerts: So each time a configuration change is made to your account, you’ll know about it.

Next steps: Change your second factor

If you later switch smart phones, you can simply turn off your existing authenticator app in that Protect Your Account and then configure a new one. That is, you do not need to turn off two-factor authentication and then re-enable it. This is straightforward.

Next steps: Configure all of your other online accounts too

Be sure to follow these steps for all of your Microsoft accounts, Google/Gmail accounts, Dropbox accounts, and any other online accounts that use two-factor authentication. The authenticator apps described here all work with multiple accounts, including multiple accounts of the same type.

Questions? Did I miss something? Fire away. We need to get this one right.

Tagged with