Microsoft rolling out two-factor authentication across its product line

Microsoft is joining the two-factor authentication ranks, adding support for this security mechanism across its products and services accessible via a Microsoft Account.
Written by Mary Jo Foley, Senior Contributing Editor

There have been hints for the past week-plus -- courtesy of Liveside.net -- that Microsoft was poised to roll out two-factor authentication for its Microsoft Accounts. On April 17, Microsoft did just that.


Microsoft is calling this security process "two-step verification." Microsoft is making available two-step verification across all products and services accessible via a Microsoft Account. This includes Windows, Windows Phone, Xbox, Outlook.com, SkyDrive, Office and more. The rollout will be happening over the "next couple of days," according to the company.

(Microsoft Account is the new name for Microsoft's Live IDs.)

Two-factor authentication is aimed at reducing the likelihood of online identity theft, phishing and other scams because the victim's password would no longer be enough to give a thief access to their information. Apple, PayPal, Google, Facebook and other vendors already have implemented two-factor authentication.

As Liveside explained it recently, Microsoft will allow users to set up two-step verification when logging into their Microsoft Accounts from any devices or apps. In addition to typing in one's password, a user also will be prompted to enter a security code randomly generated by an Authenticator app on his/her phone.

Microsoft posted more about how the two-step verification process will work on The Official Microsoft Blog on April 17.

As Liveside also noted, this two-step verification won't work with linked accounts, requiring users to unlink any/all linked accounts before turning the feature on. Some apps like the mail app on some phones also may not support this process. For those users, according to Liveside, Microsoft added a feature called app password that will generate a password from the Microsoft Account Website.

As ZDNet noted recently, Microsoft's Outlook.com already has a similar "single use password" feature that sends a numerical token to the user's smartphone as an SMS. It does require some form of connectivity and does not require the user's original password. "Rather than an additional form of security, it is viewed as a means to safely log in on computers where the users' password might be compromised," explained ZDNet's Michael Lee.

Currently, Lee noted, certain Microsoft features already require an additional factor of security to access, such as transactions conducted over billing.microsoft.com and establishing a SkyDrive connection to a PC. In these cases,  users must enter a numerical token (sent via SMS or email) in addition to being logged in.


Editorial standards