Must Read: Google Glass jailbreak: Let the evil commence

Topic: Security

Microsoft rolling out two-factor authentication across its product line

Summary: Microsoft is joining the two-factor authentication ranks, adding support for this security mechanism across its products and services accessible via a Microsoft Account.

Mary Jo Foley

By for All About Microsoft |

There have been hints for the past week-plus -- courtesy of Liveside.net -- that Microsoft was poised to roll out two-factor authentication for its Microsoft Accounts. On April 17, Microsoft did just that.

mssecurity2factor

Microsoft is calling this security process "two-step verification." Microsoft is making available two-step verification across all products and services accessible via a Microsoft Account. This includes Windows, Windows Phone, Xbox, Outlook.com, SkyDrive, Office and more. The rollout will be happening over the "next couple of days," according to the company.

(Microsoft Account is the new name for Microsoft's Live IDs.)

Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim's password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.

As Liveside explained it recently, Microsoft will allow users to set up two-step verification when logging into their Microsoft Accounts from any devices or apps. In addition to typing in one's password, a user also will be prompted to enter a security code randomly generated by an Authenticator app on his/her phone.

Microsoft posted more about how the two-step verification process will work on The Official Microsoft Blog on April 17.

As Liveside also noted, this two-step verification won't work with linked accounts, requiring users to unlink any/all linked accounts before turning the feature on. Some apps like the mail app on some phones also may not support this process. For those users, according to Liveside, Microsoft added a feature called app password that will generate a password from the Microsoft Account Website.

As ZDNet noted recently, Microsoft's Outlook.com already has a similar "single use password" feature that sends a numerical token to the user's smartphone as an SMS. It does require some form of connectivity and does not require the user's original password. "Rather than an additional form of security, it is viewed as a means to safely log in on computers where the users' password might be compromised," explained ZDNet's Michael Lee.

Currently, Lee noted, certain Microsoft features already require an additional factor of security to access, such as transactions conducted over billing.microsoft.com and establishing a SkyDrive connection to a PC. In these cases,  users must enter a numerical token (sent via SMS or email) in addition to being logged in.

 

Topics: Security, Microsoft, Windows, Windows Phone

About

Mary Jo has covered the tech industry for more than 25 years for a variety of publications and Web sites, and is a frequent guest on radio, TV and podcasts, speaking about all things Microsoft-related. She is the author of Microsoft 2.0: How Microsoft plans to stay relevant in the post-Gates era (John Wiley & Sons, 2008).

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion

  • Not interested.

    Why should I have to use my cell phone to log into a web site? So I guess these folks are now TELLING their customers they must purchase and pay a monthly fee for a cell phone. Just crazy!!
    NOmoreMicrosoftATall
    Reply 1 Vote

    • Had you actually READ the article ...

      You'd find that this is an optional new feature for those that DO want to protect themselves:

      "we remain vigilant in working hard to protect your account, which is why we’re adding an option so you can enable two-step verification to further protect yourself."
      bitcrazed
      Reply 4 Votes

      • Secure Log-In Should Be Available to Everyone with or Without a Phone

        Although I have a cell phone, I don't have text or web access enabled. I should be able to get secure log-in without having to buy a phone or pay for features I don't need or want. Send me an email encrypted with my public key that I can decrypt with my private key. Slightly slower for me, but good enough.
        oldnuke69
        Reply Vote

        • There probably will be.

          If it's anything like Google's two step, you can use either cell or land line with audio feedback responses. I think there was another option too, but don't remember what it was.
          Narg
          Reply Vote

          • Again ...

            ... read the article. And be sure to pay attention to the types of 2nd-factor auth supported.
            bitcrazed
            Reply Vote

    • It's optional.

      Every place I've been to that uses "two-step" or two-factor authentication makes it optional.
      CobraA1
      Reply Vote

    • There is an assumption...

      That every person on the planet has a cell phone and loads their app. I certainly don't use the LiveID service, but IF I did, I would promptly find another service. Tying a cell phone app to an account is too bold of a move at this point. Why not just make the app run on multiple platforms (phone, desktop client, etc.)?
      Chris_Clay
      Reply Vote

  • LOLOL Microsoft trying to beat Apple to the punch

    I guess Ballmer's quaking in his size 50 Dickies because Apple is about to come out with two step authentication on their mobile products using both a passcode and fingerprint reader.
    toddbottom7
    Reply Vote

    • Re:

      LOLOL Apple trying to beat Google to the punch. I guess that flamboyant CEO from Apple wanted to copy Google.
      Martijn2
      Reply 1 Vote

    • lol..apple first need to patch their sinking ship

      they make a few toys and still can't handle their small world..why can't just fingerprint be enough by the way?? lol ...you though you were genius...just Another view :D
      dugbug11
      Reply Vote

      • They can't even get Day-Light savings time correct....

        what a joke....
        Owllll1net
        Reply Vote

        • DST

          Daylight Stupid Time: Who cares. We don't use it. No changing clocks, or anything like that. Except for stupid clock makers that insist everyone is doing it.
          320vu50@...
          Reply Vote

    • Wow

      You somehow turned something good into something bad.

      And the finger-print rumor again? Really?
      Michael Alan Goff
      Reply Vote

  • Apple, BAHAHAHA

    Apple don't even support NFC...
    Owllll1net
    Reply 3 Votes

  • Microsoft rolling out two-factor authentication across its product line

    Kudos to Microsoft for taking the steps necessary to make my logins more secure.
    Loverock-Davidson
    Reply 1 Vote

    • Doing the 2 step

      That is a great idea so long as it stays optional. If the two passwords aren't fixed, then it is a real problem when it comes to checking e-mail at Outlook.com from the Windows Office Suite Outlook E-mail program, which only allows for one fixed password for an account.

      I knew I put that .com thing into limbo land for a reason, other than I don't like the way Outlook.com works, and the automatic instant messenger log on "feature".

      I only keep Hotmail.com because it is my sign in for anything Mickeysoft.
      320vu50@...
      Reply Vote

  • 2-Factor pointless!

    The two factor is pointless, if you don't have access to your phone or email account you click "I don't have access to these" and then you select to add a new email account (use a fake account created via TOR so untraceable) and it emails you a code to that fake email.........what is the point? Maybe it just stops the below average half of the population from entering your account with just the password or something.........if anyone else has the actual password they can get in and anonymously at that!
    HDizzle84
    Reply 1 Vote

    • Scratch that!

      Seems that it must have taken a while at MS end to realise I had set up two-factor because now when I say "I don't have this" and I try enter an email into the security info it will force a 30 day wait which is good!
      HDizzle84
      Reply Vote

  • Microsoft 2 tier ID "unknown" to my security suite.

    I went on your site today , to check out the link tothe Microsoft 2 Tier ID, and my security suite states the site is "UNKNOWN".

    Would this be normal for a ZD net site link,i have never had this problem Previously, or i would not be inhabiting your site as much as i do.
    Fredsan
    Reply Vote

  • phone

    no cell phone, no house phone here. why scammers!!!! emails don't call at dinner time.
    charlieg1
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close