Two-step Verification
100

How to make your Microsoft account more secure with two-step verification and keep hackers at bay

About a week ago Microsoft made your account more secure. If you use any Microsoft service or product you own a Microsoft Account. You use that account to sign into your Windows Phone to download apps and track the phone if you ever lose it. On Xbox it’s associated with your Gamertag and allows you to carry your profile from Xbox to Xbox and keep your Gamerscore and Achievements synced. On Windows 8 it allows your settings and wallpapers’ to sync across your laptop, desktop, and tablets.

If you’re in anyway shape or form using a Microsoft product you need to enable two-step verification to keep your account secure. Here’s how to set it up.

Why two-step verification?

The first thing you’re probably asking yourself is why do I need two-step verification? Short answer? You have one account that connects you to a variety of services and products, it’s too important to not do everything you can to protect that account.

Right now you have your email address and password keeping your digital world safe. Two-step verification works by adding another step in the mix to gain access to your account when you login. In addition to your password you’ll be using a code. That code is generated in a variety of ways, either through email, an SMS message, phone call, or authenticator application. It’s an extra layer of protection and totally worth it if you value what your Microsoft account has access to.
 

Let’s set up two-step verification for your Microsoft Account

Part 1

  1. Head on over to account.live.com to get started. Under ‘Overview’ on the left side, click on ‘Security info’.
  2. Make sure you’ve added your cell phone number under ‘Phone number’. If you haven’t add it and follow the prompts.
  3. Under ‘Two-step verification’ click on ‘Set up’. Next we’ll be following the on screen prompts to set it up. Have your Windows Phone nearby to receive your verification code.
  4. Enter the code that was just sent to you.
  5. That’s it. You’ve turned on two-step verification.


Authenticator app

Now that you’ve turned on two-step verification your account is secure. Every time you try to log into a service that uses your Microsoft Account, like accessing your SkyDrive through the browser, you’ll need to enter a code in addition to your password. Usually you’ll have your smartphone with you and can opt to receive that code with your via text. But what if you’re on a plane or subway with no cell service? Download an authenticator app, like this one for Windows Phone to generate those codes.

QR: Authenticator App

Under ‘Security info’ you’ll see a section called ‘Authenticator app’, here’s where we’ll pair the authenticator app you just downloaded with your Microsoft account. The screenshot below shows you what you’ll see when pairing the app. In my personal experience I had to hold the phone a little further from the computer screen with this app compared to others. Once you’ve scanned you’ll be given a code that you’ll enter to pair. Those codes will show up on your screen for a short time, so don’t waste time in entering them. If you miss it, just wait for another code to generate on the screen.

Part 2

The really cool thing about the Authenticator app from Microsoft is that you can use it with other services that allow two-step verification. Some reviewers in the Store note that the app works with Dropbox, Facebook, and Google. Although for the last two you’ll need to directly enter a code to pair as opposed to using a QR code.


App passwords

Some services and products that require a Microsoft account have may not support two-step verification just yet. For example, your Xbox 360 and Windows Phone. So what do you do? Generate an app password for the devices.

When you launch your Xbox 360 and want to download your profile or don’t have the password saved to the device you’ll need to head make sure you have your laptop nearby. Again, login to account.live.com and go to ‘Security info’ and scroll down to ‘App passwords’. Click ‘Create a new app password’. You’ll then be given a bunch of random letters that you enter into your Xbox in place of your regular Microsoft account password (even though the Xbox dashboard is asking for your ‘Microsoft account password’).

App Password Generation

App passwords will work when the device or service doesn’t support two-step verification. What about your Windows Phone? I reset my Lumia 620 to see what would happen with it after enabling two-step verification for my Microsoft account. Guess what? My normal Microsoft account password wouldn’t work. After creating an app password like detailed above I was able to put my Microsoft account onto the newly reset Lumia 620. My daily driver, the Lumia 920, hasn’t had account syncing problems the past few weeks, but I had a buddy enable two-step for his account. Sure enough, on his HTC 8X he had to update his Microsoft account password to one generated by the ‘app password’.


TL;DR

First off, you don’t be lazy, go up and read this. But if you’re short on time…

  • Enable two-step verification for your Microsoft account for increased security
  • Two-step verification works by requiring a code to be entered in addition to your password
  • Codes are generated by either text, call, email, or an authentication app
  • Some devices, like your Windows Phone or Xbox, don’t support it yet. You’ll need an app password in place of your regular password for your Microsoft account
  • Generate app passwords on account.live.com

This is a lot to take in, but overall things should go smoothly. If you do run into any problems sound off below with questions and the Windows Phone community (you and other commenters) will do the best to help you out.

5
loading...
0
loading...
0
loading...
0
loading...

Reader comments

How to make your Microsoft account more secure with two-step verification and keep hackers at bay

100 Comments

A heads up to devs: enabling two-step auth breaks Microsoft's WP Dev Center app. It doesn't let you login with an App password or the main password once two-step is enabled.
This has been reported on the Dev Center forums, but as far as I know there's been no response from Microsoft about fixing it.

I was just about to point this out. I hope they update it soon. I was addicted to checking my downloads:)

I've had my hotmail(my main and only email) since October 31st 2004.. Not ONCE! Has my account been hacked.. I ask myself how in the world you came about getting your email hacked..
TBH this just looks like a hassle.

I agree... Looks like a hassle. I consider myself a power user, but nit a bit head. This just has too many ' if this happens, then do this...' issues that I will completely forget in two weeks.....

I had my account years longer than you. Had no issues until yesterday when my work email address was the recipient of a mass email from my own Hotmail account. Of course now my microsoft account is attached to my phone and xbox, so rather worrying.

I still don't get how that's possible.. My mom had the same mass email problem and I could only trace it back to a key logger on her netbook.

I have enabled two step verification everwhere I can. My bank account, my battle.net account and now my Microsoft account. With the option for trusted machines it is not much of a hussle and it makes the account much more secure.

Hello hello
Anyone could tell me why is it so important? It's rather pain in the butt IMO. I have my gmail acc for lots of years, and no problems have occured...
 

Because 'crap' happens. Gmail has this and other services are rolling it out so they can reduce or avoid embarassing disclosures of compromised accounts.

Well I wouldn't say that as having passwords of "123456" is somewhat walking on the streets with a huge advert on you that you have left your home open or whatsoever.. 

This is for those times when things are beyond your control. For example: a company database is hacked and passwords are stolen (even if they are salted, hashed, etc., a thief still has the database). This keeps them from obtaining the password and wreaking havoc with your account(s). It gives you the ability to say "No, I didn't authorize that login. But they can't get in because they don't have the access code."

I managed to get the Authenticator app activated but I can't get two way authentication as I have linked accounts =/

It doesn't work all the time. I have no idea why logging in a new browser with no cookies (incognito mode on) and just entering the password alone is enough to let me into my Outlook account. I got the text sure, but I never entered it. It just redirected me to my inbox page...without the code verification. Thanks for the awesome security Microsoft. Even Google does it better than you do. I did the same test in the same browser with gmail and they passed it with flying colors.
Until they fix this problem I'm going to have to stick with Google's services for my secure financial and gaming activities even though I want to be able to move to Microsoft's equivalent services.

You are right - that bothered me as well and should be changed. Without 2 step authentication enabled if you want to access that info on your Hotmail account they make you enter in your password again or they send a code to your "other" form of authentication (phone number or other email account.) So now with 2 step authentication enabled they just "show" all of that right after login? I get why as they are asking you what you want to use to verify but maybe just say "phone" or "email" not state the actual phone number or name the email account.

Can someone please give a step-by-step guide how to activate this app and use it with Facebook? I've got it to work with Microsoft account and with Dropbox, but I can't seem to get it to work with Facebook ... :/  
 
Update: I just found out how to do it myself! :D 

get in facebook security page. open two step verification. Then select  use codematic. click the link that said something like that "troubling with codematic?"  then it gives you a code. open your app add user name and add that code for code area. then write the generated code to facebook page. it is done

I removed the phone from my FB account and now it will not permit me to re-add it as two-step authentication. Had this problem when I originally set it up but can't for the lfie of me can't remember the fix. I do not own a smart phone but I could always receive SMS notifications.

Very cool, but it's got some annoying quirks.

For example, logging into Skydrive I'll get a text with the verification code. The actual code is cut off in the notification, so I'll select it to view the actual text. When I go back to Skydrive I'm booted out of the sign up and have to start over, meaning a new code is sent.

Eventually, I realized that I could rotate the phone and see the entire code revealed that way. But if the app doesn't support rotation and restarts the signup you're probably screwed.

this is why i turned 2step off. i couldn't get it to work on my phone for the same reason. you cant go get the code and come back, you end up in a never ending cycle.
come on microsoft, at least make your technology work with your technology.

Same issue for me but trying to verify skydrive using the authenticator app. Every time you flipped back to skydrive it restarted the login. Ok, i managed to write down the code and the go back but unless these systems are slicker people will not bother with them

Same issue with PhotoSynth, except it doesn't support landscape orientation. I ended up using the Authenticator, waiting for a new code (so it would be valid for enough time), quickly memorizing it, going to PhotoSynth, logging in, when it got to the second half of the two-step, tapping "use another method" (ignoring the text message) and selecting the authenticator option, and entering the code I memorized earlier.
Yeah, a bit of a pain. ;)

Hmm, the two "account.live.com" links are pointing to: *removed* ^^
edit: you re welcome, I removed the link ;)

2 step is a necessary PIA short term. I hate using RSA fobs but sometimes this stuff is necessary. Wallet users will want two step until facial recognition and/or  biometrics and 8 key pins and phone generated  QR scan codes combine to replace it.   Biometrically locked devices :)

Well, I wouldn't say facial recognition. It's been proven to be an insecure, ineffective security measure that's easily thwarted by a photograph.

It wants me to unlink my accounts to use this? Don't know if security is more important than linked Microsoft accounts :|

I agree with you...I would love to have 2 step authentication to make it more secure...but unlinking my Microsoft accounts is a deal breaker for me...

Same here. Really like to enable the new authentification but can't give up on linked accounts. I'll switch as soon as linking will be possible again.

From skytaker above:

"get in facebook security page. open two step verification. Then select  use codematic. click the link that said something like that "troubling with codematic?"  then it gives you a code. open your app add user name and add that code for code area. then write the generated code to facebook page. it is done"

Get facebook Security login apprrovals and then act like using android. Learn how to use code generator. Then click The little link that says "trouble with code generator?" (or something like that ı dont remember exact words) when you click it. It gives you a user code. Enter it in your apps secret key area.when app start giving codes. Enter it your Facebook. it is done

after i activated two-step activation, my MS account stopped syncing with my phone, giving a wrong password error. it was only after i deactivated the two-step verfication, it allowed me to sync again.
so i'm not using this app anymore.
maybe if they fix the sync issue some time, i'll get back.

App passwords are under 'security info'. You might need to scroll down on the page if your display isn't high enough. It's there and it works. Confrimed with my account yesterday and another friends. 

it's there in the account settings on live.com if i'm not wrong. did set it up. i showed that the authenticator app is registered with my account.
i tried to then log in with the security key generated by the app, and also from my normal MS account password. neither worked.
it all seemed like a big hustle bustle so i ultimately left it.
will try it out again sometime later.

Same thing happened to me.. As soon as I activated the two-step process, I was getting an error message whenever I tried to download anything (apps, music, etc) saying that my Microsoft account password isn't working. as a matter of fact, I couldn't even download the authenticator app after switching to the two-step process.. Instant fail in my opinion.. I already figured that it may be a slight extra hassle but being that big of a hassle right out of the gate is inexcusable...

To get your phone or Xbox to work after enabling two-step verficiation you need to enter an 'app password' in place of your Microsoft account password. You can generate an app password under 'secuirty info'. 

Actually you don't need an app password for all of that. Xbox you do, but the other stuff will work if you follow my instructions from my other comment below.

Ugh, I have to wait a month for my secondary email to be replaced with my cell # as the two step security option

My onenote app stops working and I cannot enter in a password app or put in any passcodes anywhere... My onenote stops syncing with this..

You can add devices that you use frequently to a list so it won't ask you for a code from those devices. Just go to http://account.live.com from that machine (or phone) and log in. Check the box to not ask for a code in the future and you're good to go. This works on WP as well for stuff like Skydrive and Onenote, etc. It does not work for Xbox on the phone though. Need an app password for that.

See MS article here:

http://windows.microsoft.com/en-US/windows-8/what-is-trusted-pc?woldogcb=0

This does work on Windows 7 and for most stuff, WP as well.

Yeah, I'm going to pass.  Then again, I'll ride a bike without a helmet and I've been known to eat fried foods too.  Sometimes I just calculate the risk and decide that hassell/annoyance of the "protection" isn't worth it.  This would be one of those times for me.

This could use some ease. Consider back to the older days, when an anti-virus was just an anti-virus and you had to configure a firewall seperately, or when FTP was a little more hands on. How many are old enough to remember when BBS and IRC was "text messaging" and "social networking." Yeah, the eventually made "anti-virus" turn into anti-everything, FTP downloading and uploading is all but fully automated, and only folks around my age who were using it have an inkling of BBS, IRC ahh, almost forgot GOPHER ;)
Being a slightly paranoid man and a patient one (Slackware user), it's not a huge hassle in my eyes, my life just does not move that fast that I can't afford this. Most people are not going to want to fuss with this on a daily, consant basis though, as afterall, convenience and speed are supposed to be what make or break anything right? MS needs to evolve the actual execution of all this a bit, which i'm sure they will eventually.
Edit:
Some of the problems people are writing about i'm not seeing. I went to the set up section on the live site and followed their steps, allowed the site to download the authenticator app to my phone, scanned the QR, and i'm done. I did not personally reset my Lumia and didn't have to change the log in for the built-in email client, as I think i've added my phone as a trusted device. I fired up my linux tower and tried to log in to outlook and it asked for the code, which was sent via text and displayed in the notification bar just fine (L900 here by the by.) With the ability to add trusted devices, I'm not having any hassle here whatsoever. Then again, I rarely use my desktop for MS account stuff as everything I do is thru my phone since it is more or less my main computer now anyway. My Xbox however seems to be unhappy now so I entered a created app password and it's a one-time deal, so that was quick and no biggie.
Honestly folks, the set up process for this requires a hands-on rather than just reading this article. The step by step walkthru on the live accounts site is in plain english and won't leave you hanging on quick setup for any of your stuff.

Hey Sam Can you explain why I need an App password? Will it need to remember it in the future? Rather confused by it to be honest.

Devices like your Xbox don't support two-step verification yet. So for whatever reason Microsoft says you need to use an app password in place of the regular one. I'm not sure the reasoning behind, just that's the solution and course of action. 

THANK YOU! THANK YOU! Not a day too soon! The single reason I kept using my Gmail. Now I can go all Outlook. Fantastic.

I can't seem to sync with SkyDrive now! I have added my phone to the trusted devices. Everything seems to work except SkyDrive. I get sync error code 800704dc. Please help!

If you're sure your phone is added to the list of trusted devices, pardon as I know this sounds ridiculous but reboot the phone. If that does not work, uninstall the SkyDrive app and reinstall it. It will ask for your new password. My SkyDrive app worked fine from the start, probably because my phone is trusted. Barring that, if all else fails, do the uninstall/reinstall of the app, get an app password, and voila. Assuming you keep the same phone for a while you won't have to do it a second time.

App passcode and Authentication app works perfectly, used app pass code to reset my SkyDrive and Xbox app on my 920,and Authentication app to reset my Outlook email and Skydrive on my Nexus 10.

Seems like the phone sync is the biggest issue. I turned it on only to find the SmartGlass app wouldn't work and there is no way to enter a separate password for that. Not really enthused about having to reset my phone just to get this to work. But if the reset and prompt to enter the "app password" instead of my normal password on my phone works...maybe its not that bad

Check my earlier post about adding your phone as a trusted device. Once you do that, you should find less problems.

I saw this April 17th and set it all up and then tore it all down. Why? Too many app generated passwords. I needed 6 different app generated passwords to run everything in my environment and there is "currently" not enough control in that area. Right now you can't "revoke" one app generated password you have to revoke them all to disallow one. Just about everything (including Outlook and my Lumia 920) needs an app generated password. Codes are one time use and done - app passwords are different. I don't want 6 different passwords for every Hotmail account of which I have 4. That is extremely hard to manage. In addition where are those generated passwords stored and who generates them?

I also didn't like the Authenticator which generated codes every 30 seconds without end. As I said I have 4 different Hotmail accounts and I really don't want some app on my smartphone generating codes for each of them every 30 seconds whether I need them or not - isn't that hard on battery life? Also I really don't want an app having the ability to "unlock" my Hotmail account every 30 seconds all day and night every day and night... isn't that a security problem in and of itself with its own concerns?

In the end 2 step authentication with the Authenticator app will work well for users with one Hotmail account who are putting said one Hotmail account through one smartphone and one computer... If you have many Hotmail accounts going through many computers via Office and multiple smartphones... Well in its current state it doesn't work well for that type of user.

One other thing... I also thought I wouldn't need an app password since my Lumia 920 was a trusted device and was syncing. I did - just wait - it takes awhile before everything stops syncing. For some accounts it took 8 hours before it kicked out the login screen and I had to generate an app password.

I just wanted to set it up but it asks me to unlink my other MS accounts ! I'm affraid if I do that then be unable to link my accounts again :-|

This would be a nice idea but it breaks WP store. You can't rate Apps nor anything. It's a nightmare. I gave up on this until they fix the damn thing.

You have to generate an app password for the Hotmail account on your phone (the Hotmail account that uses the Windows Store) and then you can rate apps etc.

Numerous problems with this. Like for example I can't even use the store anymore because it keeps asking me to retry my password. Thought I was hacked for a second so I changed it but it didn't fix, reset my phone and the same thing happens.
Turning this off, I just wanted to download to authentication app. I'm just hoping it didn't lock up my account for good.

I couldn't get the authenticator app because enabling 2-step authentication broke my phone's access to the WP store. Brilliant.

WP8 Handset lost connection to hotmail, kept saying incorrect password. Went on PC and turned off 2 stage security. WP 8 synced straight away. Is there a solution for this? Am I missing something here?

Yes you are right. Just like third party apps you will need to "create" an password on the Microsoft website, or use your autenticator app. It is a good strengthening of your security

Yes, log into your Hotmail account via browser and go into options, security settings and generate an app password. When your phone asks you for the password use the app generated one you got from Hotmail and the Windows Store and your email will work again.

So let me get this straight, if i activate the two step verification on my account, than my facebook on my windows phone wont work? So than i have to do something on facebook.com?

You only need to reverify applications which require access to your Live account else nothing change. All the services provided by Microsoft such as email/Skydrive/MSN etc. require second verification. It's a hassle as Skydrive is the integral part of WP.  It is used to store photos/eBook/Notes/Game Roms as well as to back up application data.  I need to reverify IMPlus Pro(as it connects to MSN), Freda+ (as it reads eBooks from Skydrive), Purple Cherry Gameboy Emulator (As it imports Game ROM from Skydrive) etc.
Luckily Microsoft already release 'Authenticator' for this purpose. 

so if i go on my Windows 8 PC do i need to make an app password for Messaging / Mail / People / Calender also or is the two step verification only for outlook.com and windows phone? And what if i change phone (cause now im using a Windows Phone 7.8 and getting a Lumia 920 in September). And for Skype Desktop and Skype App on Windows 8.
cause i have the Authenticator app, but don't know if i will be able to use my Windows 8 pc than :S

Great news, saw this only here! I have lot of important things like emails and pictures with Microsoft, great to use this. Done immediately!! Thanks for the news ! Microsoft should advertise this more!

Thanks Microsoft. I immediately activated this feature to my account.  Although, it only ask for extra verification during the initial login, it's still quite a hassle for me as I have many phones/laptops plus many applications which are connected to the account.
I lost my hotmail account in 2010 due to phishing.  I received an email supposedly from Microsoft which required me to change my password for expiry reason.  Unfortunately I was hospitalized due to high fever and I didn't even give it a second thought and replied the email.  The hacker immediately took over my account and replace my security question/answer.  My Yahoo Account was also lost since it was connected to my Hotmail.  I contacted both Yahoo & Microsoft and never could regain them.  I lost lots of personal data/memberships/purchases etc. I learned it the hardway.

Its not working for me. Disabled it because my phone cant even update apps when its enabled.

I actually hate outlook now. last month I wanted to change my password. I try to change all my passwords every 3 months or so. unfortunately I hadn't changed my main one for a while. so I go to change it. then I get locked out of my account for a month since there is a waiting period. why it has to be a month is beyond me. there was no warning that it would be a month. I wouldn't have bothered making it my main account if i had known they were going to make such a stupid desicion like that, people waiting a month to access their account to finally change their password.

  I sure am complaining, I know, but when there is no warning that you will not be able to get into your account for a month, with ALL your buisness contacts in your contact list, it sort of makes some peoples lives a living hell. I could care less about 2 step verification. for years I have changed my password regularly and when I enter my password I never type it in. I always copy paste it. I also don't use stupid passwords like birthdays or things like putting muffinman26 or something. I put something like this in. k5&4%f8cbgz#5. the only place I type that is in notepad. I have never been hacked ever.

  so my point is, great, microsoft is trying to protect us from hackers. unfortuantly I am not going to bother with hotmail anymore since waiting a month and loosing money in the process of changing my password. it  has been a huge pain in the butt. I'm really just complaining so that when someone else tries to change their passcode, make sure you take what information you need from your account first. just because if you use it to generate money, or use it for buisness, you might be damning the the new overlords of outlook for a month.