Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.


How to lock down your Microsoft account and guard it from attackers

You can get a Microsoft account for free, but that doesn't begin to describe its value, especially if you use that account for crucial email and cloud storage. Here are seven steps to establish a solid baseline of security and protection.
Written by Ed Bott, Senior Contributing Editor
Gorgaiphotography/Getty Images

What's your most valuable online account, the one most deserving of protection? If you have a personal Microsoft account, that account should be among those you guard most jealously. That's especially true if you use that account and its associated email address to sign in to one or more Windows PCs or to create and save documents using the Office apps in Microsoft 365 and Microsoft's OneDrive cloud storage service. 

In this post, I list seven steps you can take to help you lock that account down so it's safe from online attacks. Your goal is to prevent an unauthorized person from stealing your account credentials and using them to access your private information. 

As always, there's a balancing act between convenience and security, so I've divided the steps into three groups, based on how tightly you want to lock down your Microsoft account.

Also: 6 simple cybersecurity rules to live by

And here's an important note right up front: This article is about the free consumer Microsoft accounts used with Microsoft 365 Family and Personal editions and the personal OneDrive service. These accounts are typically associated with an email address using the @outlook.com domain, although older accounts might also use @hotmail.com, @live.com, or @msn.com. Security settings for business and enterprise Microsoft 365 accounts, which use the OneDrive for Business cloud service, are managed by domain administrators through Entra ID (formerly known as Azure Active Directory), using a completely different set of tools.

How much security do you need?

Baseline: The baseline level of security (steps 1-3) is perfectly acceptable for most casual users of Microsoft services, especially those who don't use their Microsoft email address as a primary factor for signing in to other sites. If you're helping a friend or relative who's technically unsophisticated and intimidated by passwords, these options will do a lot of good.

The first step is to create a strong password for your Microsoft account, one that's not used by any other account. Next, you'll turn on two-step verification (Microsoft's term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. Enabling that feature requires you to supply additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as changing your password or adding a credit card to your account. The additional verification typically consists of a code sent in an SMS text message to a trusted device or in an email message to a registered alternate account.

Finally, you'll save a recovery code that allows you to access your account if you forget that password and don't have access to any other authentication methods.

Better: Those baseline precautions are adequate, but you can tighten security significantly with the actions outlined in steps 4 and 5.

Also: User forgetfulness drives preference for biometrics over passwords

First, install the Microsoft Authenticator app on your smartphone (it's available for iPhone and Android devices) and set it up for use as a sign-in and verification option. Then add a secure email address as a backup factor to verify your identity.

Maximum: The final two steps provide the most extreme security, adding at least one physical hardware key along with the Microsoft Authenticator app, and then removing SMS text messages as a backup verification factor. With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won't be able to break into your account by intercepting text messages or hijacking your mobile phone account.

That configuration places significant roadblocks in the way of even the most determined attacker. It requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it's by far the most effective way to secure your Microsoft account.

Let's get started.

Here's how to lock down your Microsoft account

Step 1: Create a new, strong password

Screenshot by Ed Bott/ZDNET

First things first: You need a strong, unique password for your Microsoft account. Microsoft requires a minimum password length of eight characters, but security experts recommend that you make your password longer. A good length is 12-16 characters, using any random combination of uppercase and lowercase letters, numbers, and special characters. You can also use a passphrase consisting of four or more randomly selected words, separated by a special character such as a hyphen.

The best way to ensure that you've nailed this requirement is to use your password manager's tools to generate a brand-new, random password or passphrase. (No password manager? Try an online option like the 1Password Strong Password Generator or the Bitwarden Password Generator.)

Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn't part of a password breach.

Also: The best password managers to save you from login hassle 

To change your password, go to the Microsoft Account Security Basics page at https://account.microsoft.com/security/. Sign in, if necessary, then click Change Password. (But don't check the box that requires you to change your password every 72 days. That will surely annoy you, and it won't make your account appreciably more secure.) 

Follow the instructions to save the new password using your password manager. Feel free to write it down, if you prefer a physical backup. Just make sure to store the paper in a secure location, such as a locked file drawer or a safe.

Step 2: Turn on two-step verification

Screenshot by Ed Bott/ZDNET

Don't leave the Microsoft Account Security page just yet. Instead, scroll up to the Two-Step Verification section (under the Additional Security heading) and make sure this option is turned on.

The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. If you're using a modern smartphone with an up-to-date version of iOS or Android, you can safely ignore the prompts to create an app password for the mail client on those phones.

Step 3: Create a recovery code and keep it in a safe place

Screenshot by Ed Bott/ZDNET

The next step is to save a recovery code. If you're ever unable to sign in to your account because you've forgotten the password, having access to this code will save you from being permanently locked out.

Setting up two-step verification, as you did in the previous step, automatically prompts you to create a recovery code. If you didn't keep a copy of that code, you'll need to create a new one. On the Microsoft Account Security Basics page, find the Advanced Security Options section and click Get Started. That takes you to the not-so-basic Microsoft Account Security page. (To go there directly, bookmark this address: https://account.live.com/proofs/Manage/additional.)

Also: How AI can improve cybersecurity by harnessing diversity

Scroll to the bottom of the page and look for the Recovery Code section. Click Generate A New Code to display a dialog box like the one shown here.

Print out that recovery code and file it away in the same locked file cabinet or safe where you put your password. (Microsoft allows you to generate only one code at a time for a Microsoft account. Generating a new code renders the old code invalid.)

And now for some more advanced security options.

Step 4: Set up the Microsoft Authenticator app

Smartphone apps that generate Time-based One-time Password Algorithm (TOTP) codes are an increasingly popular form of multi-factor authentication, and I highly recommend their use for any service that supports them. (For more on these options, see "Protect yourself: How to choose the right two-factor authenticator app.")

Even if you use another authenticator app for most services, I recommend using Microsoft Authenticator with your Microsoft account. In this configuration, any sign-in attempt that requires verification sends a push notification to your smartphone. Approve the request, and you're done.

Also: The easiest thing you can do to keep your phone secure

An added bonus is that the Microsoft Authenticator app can be used for passwordless sign-in as well as verification.

To set up Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use An App option and then, after installing the Microsoft Authenticator app, sign in using your account credentials.

Step 5: Add a secure email address as a form of verification

Screenshot by Ed Bott/ZDNET

Microsoft recommends that you have at least two forms of verification available in addition to your password. If you need to reset your password, when two-step verification is enabled, you'll need to supply both of those forms of identification or you risk being permanently locked out.

A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address secured by a professional IT staff is a much better choice. If necessary, you can have a verification code sent to that email address.

Go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify.

Choose the Email A Code option, enter your email address, and then enter the code you receive to confirm that verification option.

Step 6: Remove SMS text messages as a form of verification

Screenshot by Ed Bott/ZDNET

By this point, you should have more than enough secure ways to authenticate yourself and verify your identity. That means it's time to remove the weakest link in the chain: SMS text messages.

What makes SMS text messages so problematic from a security point of view is the reality that an attacker can hijack your mobile account. It happened to my ZDNET colleague Matthew Miller a few years ago, and I wouldn't wish that nightmare on anyone. (For details and some additional security advice, see "Protect your online identity now: Fight hackers with these 5 security safeguards.")

Also: Newly discovered Android malware has infected thousands of devices

Before you change this setting, confirm that you have at least two alternative forms of verification (a secure email address and the Microsoft Authenticator app, ideally) and that you've saved a recovery code for the account. Then, from the advanced Microsoft Account Security page, expand the Text A Code section.

Click Remove to eliminate this option.

Step 7: Use a hardware security key for authentication

Screenshot by Ed Bott/ZDNET

This step is the most advanced of all. It requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.

For an overview of how this type of hardware works, see "YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas."

Also: The best security keys to protect yourself and your business

To configure a hardware key, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use A Security Key option and then follow the prompts. You'll need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you've got a powerful way to sign in to any service powered by your Microsoft account without having to fuss with passwords.

As I mentioned at the start of this article, most people don't need this level of advanced protection. But if your OneDrive account includes valuable documents like tax returns and bank statements, you'll want to lock it down as tightly as possible.

Editorial standards