Most readers of Office Watch will have a Microsoft account but is it as secure as it should be? Two-step authentication is becoming essential for the key Microsoft account.
If you have Microsoft 365, OneDrive, Outlook.com, Windows 11/10/8.1/8, Windows Phone or (likely) Skype then you’ll have a Microsoft account. It’s the single login for all Microsoft online services and, for most, their Windows computers too.
Your life can become very difficult, troublesome and expensive if your Microsoft account is hacked. The hackers can access your online documents, possibly send malicious emails, change the password to lock you out of your own account and many other ‘unhelpful’ things.
Office-Watch.com, as usual, doesn’t just give you the official, overly simplistic, line. We’ll show you the pitfalls and hassles of two-step authentication but, believe us, it’s worth the trouble.
Make it hard for hackers
Make the hackers job a lot more difficult instead. Set up Two-Step Authentication. This article will explain what it is, how it works and how to setup for a Microsoft account.
There’s a similar process for other major services – most notably Google/Gmail (check the end of this article).
What is it?
Two-step authentication requires a second password or code from another source – Instead of just entering a name and password. The second code is usually sent via text message to your phone.
Even if someone gets/guesses your password, they can’t access your Microsoft account. Without the second code via your phone etc., the name/password combination is useless.
Two-factor Authentication goes by various names. 2Fac, 2FA. MFA or Multi-factor Authentication is the same thing just with more options for getting the extra login code.
Out of range
Ah, I hear you cry … what if I don’t have a phone, it’s lost or I’m out of mobile phone range? You should have a pre-authorized mobile phone for two-step authentication – a smartphone is best but a simple phone that can receive SMS/text message is enough.
Or you can use a prearranged portable device (Apple, Android or Windows) to generate a code if you’re out of phone range.
Trusted Devices
Two-step authentication doesn’t mean you’ll be pestered with SMS or authentication each time you login to your Microsoft account. You can nominate devices or programs as ‘trusted’ so you can login from them using just name/password.
The extra, second, step is only required from a new or unexpected device. Perhaps also if you login from a new location.
Setup
Setting up two-factor authentication isn’t easy. Well, according to Microsoft and Google it is easy but the setup can get really frustrating. To do it properly and without raising blood pressure needs some preparation.
To make the setup of two-factor verification easier and less frustrating we have some suggestions:
- Setting up two-step authentication is time consuming. It’s time well spent. Set aside an hour or so … though it may take a lot less depending on your exact needs.
- Internet access. Be on a stable Internet link. It doesn’t have to be particularly fast but it should be stable so you can browse the web easily.
- Have as many of your devices (desktop, laptop, phones, tablets) on hand and connected to the Internet. That’s so you can configure them and apps all at the same time.
- This isn’t essential but it’s a lot easier to do them all at once.
- Depending on the service you’re setting up, you may need to be in mobile phone range to accept an initial SMS/text or voice message.
Now you can go online to your Microsoft account, Security and Privacy | Security Settings:
- Make sure your phone numbers, alternate/recovery email addresses are correct in your Microsoft account. These are some contact methods that two-factor verification can use.
- Check that you have a recovery code and it’s saved properly. If you don’t, one will be created for you during the Microsoft two-step authentication setup. The recovery code is a 25 character code (it looks like an Office Product Key) that will let you unlock your Microsoft account if all else fails.
Now (finally!) you can setup two-factor verification. On the Security Settings page, click the two-factor verification link
If you haven’t already, a web page will show make and show your Recovery Key.
As already mentioned, copy and save this Recovery Key somewhere safe. It’s your ‘last resort’ way to access your Microsoft account if all other entry methods fail.
Authentication Apps
Authenticator apps (Microsoft calls them Identity Verification apps in some places) let you get an authentication code when you can’t receive SMS or voice messages. Or you’re charged for incoming voice/texts. Quite often, the authenticator app is the easiest way to use two-factor verification.
There are apps for Apple and Android that you can download from the iTunes Store and Google Play respectively. The Microsoft two-step authentication setup will give you links to each app or on the Security Settings page look for the ‘Set up identity verification app’ link.
Once you’ve installed the Apple/Android app, you need to authenticate it with your Microsoft account. Each app will take you through that process.
Important: if you get a new phone or device, remember to install and verify the authenticator app.
The Security Settings page has an option to disable the existing authentication apps. Unfortunately, you can’t disable a single app/device, you have to disable them all.
How they work
Once you have an authenticator app installed and verified, here’s how it works.
You try to login to a service, for example the Onedrive sync program in Windows. If you’re prompted for a two-step authentication, you’ll see something like this:
As you can see, there’s a check box to stop further two-step approvals from that device. In other words, tick the box to give ongoing verification to requests from that device.
Look on your device and the authentication apps. If the app is running and online it should receive the authentication request and all you need to do is tap a button to approve it.
If the authentication doesn’t happen in time you’ll see a message like this:
Your choices are:
Send another request – maybe you had to find your phone, turn on the device or turn on the authentication app and simply ran out of time?
Enter a security code — the authenticator app can display a security code which you can type in to complete the identity verification. This works even if the device is totally offline.
Offline
Authenticator apps work best when they are connected to the Internet. However, the apps will work even if totally disconnected from the Internet.
Click on the appropriate ‘Use a security code’ link on the app and you’ll be shown a code to type into page asking for authentication.
This works, in part, because of all the devices are properly time synchronized. Modern computers and devices keep accurate time because of occasional checks with a special server. Don’t be tempted to turn this synchronization off because it could eventually stop an authenticator app.
Other authentication options
If you can use an app, you’ll be given options including ‘get a code a different way’.
Click on that link to see the message options available to you. They are the phone numbers and email addresses setup in your security settings.
If you don’t have any of those available your choices are limited.
App Passwords
App Passwords are for programs or apps which need access to part of your Microsoft account like email (if you have Outlook.com or mail hosting) or OneDrive. These programs aren’t able to verify themselves on their own (for example older Outlook for Windows/Mac such as Outlook 2016/2013) and you need to separately let Microsoft know they are OK.
Each app password is a one-time code to authorize a particular app/program. You need a separate app password for each program/app. You can revoke approval for a particular app, if necessary.
On the Security Settings page choose ‘Create a new app password’
And finally ….
Things to do to close out the two-step authentication setup and reduce frustration later when an app won’t work at the Moment of Maximum Inconvenience™.
Sign into Microsoft.com (or some other MS site like OneDrive.com or Office.com) from all your computers / devices so you can get two-factor security codes and setup trusted devices.
Start any apps which access your Outlook.com mail or OneDrive files to see if they work or perhaps need an app password. In our testing, the OneDrive app on a Windows computer needed a two-factor verification.
Two-factor authentication can be frustrating at first. Unless you’re more organized than 99% of the population, you’ll find other programs/devices that need ‘trusting’ or a special app password. Keep your phone handy for a few days as requests for verification pop up.
But once all those issues are sorted, two-step verification will become an occasional matter rather than a hassle. It is definitely a good measure for anyone concerned about hacking or intrusion into their digital life.
Google / Gmail
Google accounts have a similar option called 2-step verification. It has the same basic features as Microsoft.
After the preparation we suggested above. Start from My Account | Sign-in & Security | Signing in to Google | 2-step verification.
The setup first requires a text or voice message to your phone number. You need to be in phone range for the setup.
Google Authenticator apps are available for Android (naturally), Apple and Blackberry devices but not Windows devices.
Once setup you’ll be able to create app passwords where necessary. Most commonly this will be for mail programs (like Outlook for Windows/Mac) to access Gmail.
