Microsoft rolling out two-factor authentication across its product line

Microsoft rolling out two-factor authentication across its product line

Summary: Microsoft is joining the two-factor authentication ranks, adding support for this security mechanism across its products and services accessible via a Microsoft Account.


There have been hints for the past week-plus -- courtesy of -- that Microsoft was poised to roll out two-factor authentication for its Microsoft Accounts. On April 17, Microsoft did just that.


Microsoft is calling this security process "two-step verification." Microsoft is making available two-step verification across all products and services accessible via a Microsoft Account. This includes Windows, Windows Phone, Xbox,, SkyDrive, Office and more. The rollout will be happening over the "next couple of days," according to the company.

(Microsoft Account is the new name for Microsoft's Live IDs.)

Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim's password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.

As Liveside explained it recently, Microsoft will allow users to set up two-step verification when logging into their Microsoft Accounts from any devices or apps. In addition to typing in one's password, a user also will be prompted to enter a security code randomly generated by an Authenticator app on his/her phone.

Microsoft posted more about how the two-step verification process will work on The Official Microsoft Blog on April 17.

As Liveside also noted, this two-step verification won't work with linked accounts, requiring users to unlink any/all linked accounts before turning the feature on. Some apps like the mail app on some phones also may not support this process. For those users, according to Liveside, Microsoft added a feature called app password that will generate a password from the Microsoft Account Website.

As ZDNet noted recently, Microsoft's already has a similar "single use password" feature that sends a numerical token to the user's smartphone as an SMS. It does require some form of connectivity and does not require the user's original password. "Rather than an additional form of security, it is viewed as a means to safely log in on computers where the users' password might be compromised," explained ZDNet's Michael Lee.

Currently, Lee noted, certain Microsoft features already require an additional factor of security to access, such as transactions conducted over and establishing a SkyDrive connection to a PC. In these cases,  users must enter a numerical token (sent via SMS or email) in addition to being logged in.


Topics: Security, Microsoft, Windows, Windows Phone


Mary Jo has covered the tech industry for 30 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not interested.

    Why should I have to use my cell phone to log into a web site? So I guess these folks are now TELLING their customers they must purchase and pay a monthly fee for a cell phone. Just crazy!!
    • Had you actually READ the article ...

      You'd find that this is an optional new feature for those that DO want to protect themselves:

      "we remain vigilant in working hard to protect your account, which is why we’re adding an option so you can enable two-step verification to further protect yourself."
      • Secure Log-In Should Be Available to Everyone with or Without a Phone

        Although I have a cell phone, I don't have text or web access enabled. I should be able to get secure log-in without having to buy a phone or pay for features I don't need or want. Send me an email encrypted with my public key that I can decrypt with my private key. Slightly slower for me, but good enough.
        • There probably will be.

          If it's anything like Google's two step, you can use either cell or land line with audio feedback responses. I think there was another option too, but don't remember what it was.
          • Again ...

            ... read the article. And be sure to pay attention to the types of 2nd-factor auth supported.
    • It's optional.

      Every place I've been to that uses "two-step" or two-factor authentication makes it optional.
    • There is an assumption...

      That every person on the planet has a cell phone and loads their app. I certainly don't use the LiveID service, but IF I did, I would promptly find another service. Tying a cell phone app to an account is too bold of a move at this point. Why not just make the app run on multiple platforms (phone, desktop client, etc.)?
    • Read more, talk less...


      You're kind of an idiot.
      Erich Weiss
  • Apple, BAHAHAHA

    Apple don't even support NFC...
  • Microsoft rolling out two-factor authentication across its product line

    Kudos to Microsoft for taking the steps necessary to make my logins more secure.
    • Doing the 2 step

      That is a great idea so long as it stays optional. If the two passwords aren't fixed, then it is a real problem when it comes to checking e-mail at from the Windows Office Suite Outlook E-mail program, which only allows for one fixed password for an account.

      I knew I put that .com thing into limbo land for a reason, other than I don't like the way works, and the automatic instant messenger log on "feature".

      I only keep because it is my sign in for anything Mickeysoft.
  • 2-Factor pointless!

    The two factor is pointless, if you don't have access to your phone or email account you click "I don't have access to these" and then you select to add a new email account (use a fake account created via TOR so untraceable) and it emails you a code to that fake email.........what is the point? Maybe it just stops the below average half of the population from entering your account with just the password or something.........if anyone else has the actual password they can get in and anonymously at that!
    • Scratch that!

      Seems that it must have taken a while at MS end to realise I had set up two-factor because now when I say "I don't have this" and I try enter an email into the security info it will force a 30 day wait which is good!
  • Microsoft 2 tier ID "unknown" to my security suite.

    I went on your site today , to check out the link tothe Microsoft 2 Tier ID, and my security suite states the site is "UNKNOWN".

    Would this be normal for a ZD net site link,i have never had this problem Previously, or i would not be inhabiting your site as much as i do.
  • phone

    no cell phone, no house phone here. why scammers!!!! emails don't call at dinner time.
  • If a site uses two factor auth using cells and you don't have a cell...

    Then don't use it...
    Erich Weiss