HOW TO: Microsoft Two-Factor Authentication

I recently wrote a post about the value of two-factor authentication. Two-step authentication helps protect you by making it more difficult for someone else to sign in to your online accounts. Even if a hacker successfully phishes for your credentials (username and password), they still won't be able to access your account without access to your smartphone and/or other second factor item (e.g. security key).  Now that you have been convinced that you want to use two-factor authentication to help keep your online accounts safe, how do you set it up.

Setting up two-factor authentication for Microsoft services is very easy and straightforward. To start, log into your Microsoft account by going to account.live.com and entering your username and password as instructed. If you use Microsoft services such Office 365, Skype, Outlook.com, OneDrive or Xbox Live, you have a Microsoft account.

Once you're logged in, select Security & Privacy from the list of options at the top of the page.

On the next page, select More security settings.

At this point, Microsoft will ask you to verify your identity by sending a security code to you via text message or phone call to the cellphone number that you provided when you set up your Microsoft account. Alternatively, the security code can be sent to the email address associated with your account. Select the option you prefer from the list and press Send code

Enter the code that you received on the next screen and press Submit.  Feel free to check the box next to "I sign in frequently on this device. Don't ask me for a code" IF this a computer that you on a daily basis. By checking this box, you will not be prompted for a code anymore on this device. It is important to remember that Microsoft will only ask you for a code if you don't use the device for 60 days. 

The next screen provides you the opportunity to setup an authenticator app on your phone. You can choose to Set it up now or to Set it up later. Click Set it up now.

At the next screen, you will asked to set up an identity verification app. Essentially this will walk you through the steps to setup an authenticator app on your smartphone (Windows Phone, Android or iOS). Identity verification apps basically allow you to verify your identity even if you can't get cellular phone service. Microsoft provides an app (Microsoft Account app) that can be installed on both Windows Phone and Android devices. If you are using an iOS device (iPhone or iPad), you will need to install the Google authenticator app. One thing to note is that these apps work differently based on your mobile platform but will still allow you to properly verify your identity in one of two ways:

  1. Entering a security code. A security code is generated by the app that you enter when you need to verify your identity. The codes are automatically generated and change after a certain period of time. The advantage of using security codes is that they can be generated even if your mobile device is offline (no cellular service).  
  2. Approve a notification. Instead of entering security codes, you receive a notification on your device when you need to verify your identity. Open the notification, approve it, and you're done. 

I'm not going into the setup process for the different platforms because they vary slightly but it's a simple process that Microsoft walks you through step-by-step. 

You should now be presented with a screen that shows a list of options that you can select from configure the security and privacy of your Microsoft account. 

Under Two-step verification (Microsoft refers to two-factor authentication as two-step verification), choose Set up two-step verification to turn it on. Next will you presented with a series of screens that will require your response. Click Next

Once two-step verification has been enabled on your account, the next two screens will allow you to setup an app password for your devices. Some apps (e.g. mail) or devices (e.g. Xbox) can't use regular security codes nor can they prompt you to enter a security code when you try to sign in. If you see an “incorrect password” error on an app or device after you turn on two-step verification, you'll need to generate and sign in with a new app password for each app or device that can't prompt you for a security code. Once you've signed in with your app password, you're all set to use that app or device. 

That's it. two-step verification has been turned on for your Microsoft account. You will also notice that a recovery code has been generated. You can use your recovery code to regain access to your Microsoft account if, for example, you lose the phone on which you normally receive validation codes to sign in. Think of the recovery code as a spare key to your house, so make sure you print out your recovery code and keep it in a safe place.

Now that two-step verification is turned on, you will be required to enter a security code in addition to your username and password every time you sign into a Microsoft account on a device that isn't trusted. Ultimately, this makes it very hard for someone to access your account even if they've obtained your user name and password.