The default settings for Windows 10 strongly encourage you to sign in with a Microsoft account. Although it's easy enough to switch to a local account, there are good reasons for connecting that Microsoft account, including the ability to easily sync settings between devices.
But that powerful account is potentially a source of headaches if your credentials are stolen or phished. To protect yourself, I recommend that you turn on Microsoft's additional security features, which require a second form of authentication if someone tries to use those credentials on an unknown device.
The option is buried deep in the web interface for a Microsoft account. Fortunately, there's an easy-to-remember shortcut:
Signing in with your Microsoft account at that page gives you access to three advanced security settings:
- Two-step verification forces you to provide a second proof of identity when you sign in on an untrusted device. That code can be sent to an email address, delivered as a text message to your mobile phone, or generated by an authenticator app on your mobile phone
- The trusted devices list lets you skip the second factor on a device you own after you successfully prove your identity. If a device is stolen, or you suspect you've been compromised, you can clear this list and force a 2FA prompt the next time you sign in on each previously trusted device.
- A recovery code is worth printing out and saving in a secure location as a way to regain access if you lose access to other verification options.
Note that if you turn on two-step verification, you'll need to generate app passwords for signing in to Xbox, Microsoft Outlook, and third-party apps that can't receive a 2FA code.
Given the havoc that a hacked account can cause, I strongly recommend visiting this page and tightening up your Microsoft account security.
Next week: Another Windows 10 tip from Ed Bott