LiveSide.net
  • Home
    • Home
      • About
      • Tips
      • Policy
      • The Big Tag Cloud
    • News
    • Mobile
    • Bing
    • Opinion
  • MSFT Gallery
    • Devices
      • All
        • HTC
        • Microsoft
        • Nokia
        • Samsung
      • Surface
      • Windows Phone
        • WP 7.0
        • WP 7.5
        • WP 7.8
        • WP 8.0
      • Xbox
    • People
      • Senior Leadership
        • CEO
        • CFO
        • COO
        • General Counsel
        • EVP
        • CVP
      • Board of Directors
        • Chairman of the Board
    • Orgs
    • Services
  • Tweets We Like

Exclusive: Microsoft account to get two-factor authentication soon

By damaster | Posted April 9, 2013 42 comments

Microsoft accountLast month we exclusively reported one of the new security features coming to Microsoft account – enhanced account aliases, aimed to replace the account renaming feature currently in place. Whilst Microsoft has recently silently switched back on the account renaming feature, the new account aliases feature has yet to make its appearance. However, LiveSide understands that Microsoft has more security features planned for its Microsoft account service. One of these new features include two-factor authentication.

Microsoft account - Two factor authentication

By setting up “Two-step verification”, when logging in to your Microsoft account from any device or apps (with the exception of devices added to your trusted PC list), in addition to typing in your password you will also be prompted to enter a security code randomly generated by an Authenticator app on your phone.

Microsoft account - Two factor authentication login

Interestingly, thanks to a tip from LiveSide reader Levee, the Authenticator apps is already available on the Windows Phone Store. Below is a description of the app:

Microsoft Authenticator appThe Authenticator app generates security codes you can use to help keep your Microsoft account secure. You can add your Microsoft account to the app by scanning a barcode or by manually entering a secret key. The app implements industry-standard security code generation and may also work with other services and providers. You can learn more about keeping your Microsoft account secure at https://account.live.com/p.

Whilst currently unavailable, the Microsoft account website (http://account.live.com) will soon provide the ability to pair your Authenticator app to your account, as shown below:

Microsoft account - Authenticator app

One of the limitations of the two-step verification feature is that it will not work with linked accounts, as such users are required to unlink all their linked accounts before turning the feature on. In addition, some apps or devices that uses Microsoft account might not support two-step verification (such as the mail app on some phones), as such Microsoft also added a feature called “app password”. When you have turned on two-step verification and signs in to an app or device that doesn’t support the feature, simply generate an app password from the Microsoft account website, and enter that into the password field to sign in.

Microsoft account - Two factor authentication app password

Unfortunately we do not yet know the timing of the release of this new feature, but rest assured that it will be coming soon. This will be a welcoming update for many users who had been requesting for this feature, particularly given Google accounts already support two-factor authentication. What do you think about this new feature? Let us know in the comments below!

Posted April 9th, 2013 at 4:36 am
Category: Featured, News
Tags: Microsoft account

All in with Xbox: Microsoft sells Mediaroom

Are you a Microsoft enthusiast, or just Scroogled?

  • http://twitter.com/efjay01 Ef Jay

    More security is good, nice feature.

  • http://twitter.com/efjay01 Ef Jay

    More security is good, nice feature.

  • http://www.facebook.com/profile.php?id=1346763016 cyborgs

    why not just send sms to phone? I don’t want to use App or Website.

    • damaster

      Microsoft account already supports SMS code verification. By clicking “use a different verification option” in the second screenshot above, you can choose several methods of verification, including SMS code.

      • http://www.facebook.com/profile.php?id=1346763016 cyborgs

        I have phone number assigned to my account. but I can’t find options to send the code to my phone whenever I log in (outlook, skydrive).

        • damaster

          As mentioned already in the article, two factor authentication has not yet been released.

          SMS code verification currently exist whenever you try to change your existing security info on http://account.live.com using a non-trusted device.

          • greg

            I believe it only requires two step for billing changes, as I am able to change all other sec info without MFA from a PC I have never logged in from before.

            Edit: Correction, I can view sec info, but to change it DOES indeed require an SMS code.

  • http://www.facebook.com/profile.php?id=1346763016 cyborgs

    why not just send sms to phone? I don’t want to use App or Website.

    • damaster

      Microsoft account already supports SMS code verification. By clicking “use a different verification option” in the second screenshot above, you can choose several methods of verification, including SMS code.

      • http://www.facebook.com/profile.php?id=1346763016 cyborgs

        I have phone number assigned to my account. but I can’t find options to send the code to my phone whenever I log in (outlook, skydrive).

        • damaster

          As mentioned already in the article, two factor authentication has not yet been released.

          SMS code verification currently exist whenever you try to change your existing security info on http://account.live.com using a non-trusted device.

          • greg

            I believe it only requires two step for billing changes, as I am able to change all other sec info without MFA from a PC I have never logged in from before.

            Edit: Correction, I can view sec info, but to change it DOES indeed require an SMS code.

  • GoddersUK

    It won’t support linked accounts? Well that makes it as good as useless! Come on Microsoft, I’ve had two factor authentication on PayPal, Google and even Facebook for ages. It’s taken you long enough to bring it to WL and now it’s here you’ve decided to cripple it…

    • damaster

      I don’t see Paypal, Google or Facebook have linked accounts though….

      • GoddersUK

        Google kind of does, but it’s done on a local basis using cookies, in terms of functionality it’s way behind WL ID. However I don’t see why it should be that hard to implement 2 factor authentication across linked IDs in any case. No harder at least than implementing the current “1 factor” username and password system across linked IDs…

        EDIT: It’s probably also fair to say that the power users who are most likely to desire 2 factor authentication are also most likely to have linked accounts.

        • damaster

          I agree with you – the two doesn’t seem to contradict each other, and I sure hope they can be enabled at the same time.
          I’m not sure the reason why the restriction is in place, it could be due to the way linked account is designed is incompatible, but I’m sure Microsoft had thought about this and had to make a trade off between the two (without having to rearchitect the linked account feature again). After all they are probably hoping people will use the new alias feature instead….

  • GoddersUK

    It won’t support linked accounts? Well that makes it as good as useless! Come on Microsoft, I’ve had two factor authentication on PayPal, Google and even Facebook for ages. It’s taken you long enough to bring it to WL and now it’s here you’ve decided to cripple it…

    • damaster

      I don’t see Paypal, Google or Facebook have linked accounts though….

      • GoddersUK

        Google kind of does, but it’s done on a local basis using cookies, in terms of functionality it’s way behind WL ID. However I don’t see why it should be that hard to implement 2 factor authentication across linked IDs in any case. No harder at least than implementing the current “1 factor” username and password system across linked IDs…

        EDIT: It’s probably also fair to say that the power users who are most likely to desire 2 factor authentication are also most likely to have linked accounts.

        • damaster

          I agree with you – the two doesn’t seem to contradict each other, and I sure hope they can be enabled at the same time.
          I’m not sure the reason why the restriction is in place, it could be due to the way linked account is designed is incompatible, but I’m sure Microsoft had thought about this and had to make a trade off between the two (without having to rearchitect the linked account feature again). After all they are probably hoping people will use the new alias feature instead….

  • YeOldePharte

    Well, with 2FA (assuming it works as it should) at least I will feel a bit less vulnerable than I do with merely a 16 character password.

    Also, in reference to your opening comment about the aliases: whatever plans MS has for them, I hope users will at least be allowed the choice of NOT permitting aliases to be used as alternative login usernames. As Ef Jay said, more security is good. :-)

  • YeOldePharte

    Well, with 2FA (assuming it works as it should) at least I will feel a bit less vulnerable than I do with merely a 16 character password.

    Also, in reference to your opening comment about the aliases: whatever plans MS has for them, I hope users will at least be allowed the choice of NOT permitting aliases to be used as alternative login usernames. As Ef Jay said, more security is good. :-)

  • http://www.guillaumeb.com/ GuillaumeB

    So I guess Authenticator results from the acquisition of PhoneFactor : http://www.prnewswire.com/news-releases-test/microsoft-acquires-phonefactor-172660261.html

  • http://www.guillaumeb.com/ GuillaumeB

    So I guess Authenticator results from the acquisition of PhoneFactor : http://www.prnewswire.com/news-releases-test/microsoft-acquires-phonefactor-172660261.html

  • greg

    I think this is the first time I’ve seen LiveSide referenced from a cnet article. Looks like you guys were the first to leak this to the masses. Congrats!

  • greg

    I think this is the first time I’ve seen LiveSide referenced from a cnet article. Looks like you guys were the first to leak this to the masses. Congrats!

  • Breakingillusions

    great i have been waiting for this for ages

  • Breakingillusions

    great i have been waiting for this for ages

  • http://www.technicaloverload.com/ Nathan

    A welcome addition, hopefully it arrives soon.

  • http://www.technicaloverload.com/ Nathan

    A welcome addition, hopefully it arrives soon.

  • Vito

    Great feature ;)

  • http://twitter.com/onlyvitix Vito Macina

    Great feature ;)

  • j lo

    From David Platt’s latest MSDN Column:

    http://msdn.microsoft.com/en-us/magazine/dn166939.aspx

    hassle budget (n.): The amount of security-related overhead that a user is willing to tolerate before he either throws away your product or figures out a workaround. “Wow, that User Account Control popping up all the time asking, ‘Are you sure?’ is a real pain in the ass, especially because I’ve never once said ‘no’ to it. It’s way over my hassle budget. I’m turning the thing off.”

    • YeOldePharte

      Good point. But it won’t be a hassle if (big IF) the Outlook team allows the cell phone code — or uses MS’s own ‘trusted pc’ feature — to function like Gmail’s 2FA, so a user doesn’t have to keep entering the 2FA code at every login where a trusted device is involved.

  • j lo

    From David Platt’s latest MSDN Column:

    http://msdn.microsoft.com/en-us/magazine/dn166939.aspx

    hassle budget (n.): The amount of security-related overhead that a user is willing to tolerate before he either throws away your product or figures out a workaround. “Wow, that User Account Control popping up all the time asking, ‘Are you sure?’ is a real pain in the ass, especially because I’ve never once said ‘no’ to it. It’s way over my hassle budget. I’m turning the thing off.”

    • YeOldePharte

      Good point. But it won’t be a hassle if (big IF) the Outlook team allows the cell phone code — or uses MS’s own ‘trusted pc’ feature — to function like Gmail’s 2FA, so a user doesn’t have to keep entering the 2FA code at every login where a trusted device is involved.

  • Dan_____E

    I think they should avoid reinventing the wheel and use an existing scheme – google or verisign, preferably one that works with an app and a hardware token like yubikey.

    • damaster

      It is an existing token scheme. You can use the Authenticator app (mentioned in the above article) for your Google account right now, and similarly you’ll be able to use Google’s Authenticator app on Microsoft account, once this feature is released.

      In fact, it appears the Microsoft Authenticator app will be available for Windows Phone only (since Google refuses to develop any app for WP). Users of iOS and Android can download any other existing Authenticator app from their respective app stores.

      • Dan_____E

        Thanks for the additional info. It’s very reassuring.

  • Dan_____E

    I think they should avoid reinventing the wheel and use an existing scheme – google or verisign, preferably one that works with an app and a hardware token like yubikey.

    • damaster

      It is an existing token scheme. You can use the Authenticator app (mentioned in the above article) for your Google account right now, and similarly you’ll be able to use Google’s Authenticator app on Microsoft account, once this feature is released.

      In fact, it appears the Microsoft Authenticator app will be available for Windows Phone only (since Google refuses to develop any app for WP). Users of iOS and Android can download any other existing Authenticator app from their respective app stores.

      • Dan_____E

        Thanks for the additional info. It’s very reassuring.

  • http://feeds.feedburner.com/liveside
  • http://www.linkedin.com
  • http://www.facebook.com/liveside
  • http://www.twitter.com/liveside
  • http://www.pinterest.com

Bing Translator

Recent Comments

Theme based on
Journalist
Powered by
WordPress
Proudly running on
Windows/IIS
Hosted on
Azure
74 Queries
0.474 Seconds
© 2006-2014 LiveSide.net
All rights reserved.