How to make your Microsoft account more secure with two-step verification and keep hackers at bay

About a week ago Microsoft made your account more secure. If you use any Microsoft service or product you own a Microsoft Account. You use that account to sign into your Windows Phone to download apps and track the phone if you ever lose it. On Xbox it’s associated with your Gamertag and allows you to carry your profile from Xbox to Xbox and keep your Gamerscore and Achievements synced. On Windows 8 it allows your settings and wallpapers’ to sync across your laptop, desktop, and tablets.

If you’re in anyway shape or form using a Microsoft product you need to enable two-step verification to keep your account secure. Here’s how to set it up.

Why two-step verification?

The first thing you’re probably asking yourself is why do I need two-step verification? Short answer? You have one account that connects you to a variety of services and products, it’s too important to not do everything you can to protect that account.

Right now you have your email address and password keeping your digital world safe. Two-step verification works by adding another step in the mix to gain access to your account when you login. In addition to your password you’ll be using a code. That code is generated in a variety of ways, either through email, an SMS message, phone call, or authenticator application. It’s an extra layer of protection and totally worth it if you value what your Microsoft account has access to.

Let’s set up two-step verification for your Microsoft Account

Part 1

  1. Head on over to to get started. Under ‘Overview’ on the left side, click on ‘Security info’.
  2. Make sure you’ve added your cell phone number under ‘Phone number’. If you haven’t add it and follow the prompts.
  3. Under ‘Two-step verification’ click on ‘Set up’. Next we’ll be following the on screen prompts to set it up. Have your Windows Phone nearby to receive your verification code.
  4. Enter the code that was just sent to you.
  5. That’s it. You’ve turned on two-step verification.

Authenticator app

Now that you’ve turned on two-step verification your account is secure. Every time you try to log into a service that uses your Microsoft Account, like accessing your SkyDrive through the browser, you’ll need to enter a code in addition to your password. Usually you’ll have your smartphone with you and can opt to receive that code with your via text. But what if you’re on a plane or subway with no cell service? Download an authenticator app, like this one for Windows Phone to generate those codes.

QR: Authenticator App

Under ‘Security info’ you’ll see a section called ‘Authenticator app’, here’s where we’ll pair the authenticator app you just downloaded with your Microsoft account. The screenshot below shows you what you’ll see when pairing the app. In my personal experience I had to hold the phone a little further from the computer screen with this app compared to others. Once you’ve scanned you’ll be given a code that you’ll enter to pair. Those codes will show up on your screen for a short time, so don’t waste time in entering them. If you miss it, just wait for another code to generate on the screen.

Part 2

The really cool thing about the Authenticator app from Microsoft is that you can use it with other services that allow two-step verification. Some reviewers in the Store note that the app works with Dropbox, Facebook, and Google. Although for the last two you’ll need to directly enter a code to pair as opposed to using a QR code.

App passwords

Some services and products that require a Microsoft account have may not support two-step verification just yet. For example, your Xbox 360 and Windows Phone. So what do you do? Generate an app password for the devices.

When you launch your Xbox 360 and want to download your profile or don’t have the password saved to the device you’ll need to head make sure you have your laptop nearby. Again, login to and go to ‘Security info’ and scroll down to ‘App passwords’. Click ‘Create a new app password’. You’ll then be given a bunch of random letters that you enter into your Xbox in place of your regular Microsoft account password (even though the Xbox dashboard is asking for your ‘Microsoft account password’).

App Password Generation

App passwords will work when the device or service doesn’t support two-step verification. What about your Windows Phone? I reset my Lumia 620 to see what would happen with it after enabling two-step verification for my Microsoft account. Guess what? My normal Microsoft account password wouldn’t work. After creating an app password like detailed above I was able to put my Microsoft account onto the newly reset Lumia 620. My daily driver, the Lumia 920, hasn’t had account syncing problems the past few weeks, but I had a buddy enable two-step for his account. Sure enough, on his HTC 8X he had to update his Microsoft account password to one generated by the ‘app password’.


First off, you don’t be lazy, go up and read this. But if you’re short on time…

  • Enable two-step verification for your Microsoft account for increased security
  • Two-step verification works by requiring a code to be entered in addition to your password
  • Codes are generated by either text, call, email, or an authentication app
  • Some devices, like your Windows Phone or Xbox, don’t support it yet. You’ll need an app password in place of your regular password for your Microsoft account
  • Generate app passwords on

This is a lot to take in, but overall things should go smoothly. If you do run into any problems sound off below with questions and the Windows Phone community (you and other commenters) will do the best to help you out.

  • A heads up to devs: enabling two-step auth breaks Microsoft's WP Dev Center app. It doesn't let you login with an App password or the main password once two-step is enabled.
    This has been reported on the Dev Center forums, but as far as I know there's been no response from Microsoft about fixing it.
  • I was just about to point this out. I hope they update it soon. I was addicted to checking my downloads:)
  • I'm sold. I'm making a new one right now.
  • So what happens if you lose your phone and need to sign into something? Like a new phone?
  • I believe that you can choose to have the code sent to your alternate email address instead
  • My account got hacked yesterday, i could have done with yesterday as M$'s instructions were patchy.
  • I've had my hotmail(my main and only email) since October 31st 2004.. Not ONCE! Has my account been hacked.. I ask myself how in the world you came about getting your email hacked..
    TBH this just looks like a hassle.
  • I agree... Looks like a hassle. I consider myself a power user, but nit a bit head. This just has too many ' if this happens, then do this...' issues that I will completely forget in two weeks.....
  • I had my account years longer than you. Had no issues until yesterday when my work email address was the recipient of a mass email from my own Hotmail account. Of course now my microsoft account is attached to my phone and xbox, so rather worrying.
  • I still don't get how that's possible.. My mom had the same mass email problem and I could only trace it back to a key logger on her netbook.
  • 1990 called, they want their M$ back!!!
  • I'm thrilled with the 2 step verification. I've been using it since it was offered. I feel more secure.
  • I have enabled two step verification everwhere I can. My bank account, my account and now my Microsoft account. With the option for trusted machines it is not much of a hussle and it makes the account much more secure.
  • Hello hello
    Anyone could tell me why is it so important? It's rather pain in the butt IMO. I have my gmail acc for lots of years, and no problems have occured...
  • Because 'crap' happens. Gmail has this and other services are rolling it out so they can reduce or avoid embarassing disclosures of compromised accounts.
  • This is like claiming that police is not needed because you have not been a victim of a crime yet :)
  • Well I wouldn't say that as having passwords of "123456" is somewhat walking on the streets with a huge advert on you that you have left your home open or whatsoever.. 
  • This is for those times when things are beyond your control. For example: a company database is hacked and passwords are stolen (even if they are salted, hashed, etc., a thief still has the database). This keeps them from obtaining the password and wreaking havoc with your account(s). It gives you the ability to say "No, I didn't authorize that login. But they can't get in because they don't have the access code."
  • It seems like a hassle to log in then
  • I managed to get the Authenticator app activated but I can't get two way authentication as I have linked accounts =/
  • It doesn't work all the time. I have no idea why logging in a new browser with no cookies (incognito mode on) and just entering the password alone is enough to let me into my Outlook account. I got the text sure, but I never entered it. It just redirected me to my inbox page...without the code verification. Thanks for the awesome security Microsoft. Even Google does it better than you do. I did the same test in the same browser with gmail and they passed it with flying colors.
    Until they fix this problem I'm going to have to stick with Google's services for my secure financial and gaming activities even though I want to be able to move to Microsoft's equivalent services.
  • Strange, I couldn't bypass the code menu at all. What did bother me though was if I chose "use alternative" it explicitly displayed all my alternative contact info (which could then be consequently hacked)

  • You are right - that bothered me as well and should be changed. Without 2 step authentication enabled if you want to access that info on your Hotmail account they make you enter in your password again or they send a code to your "other" form of authentication (phone number or other email account.) So now with 2 step authentication enabled they just "show" all of that right after login? I get why as they are asking you what you want to use to verify but maybe just say "phone" or "email" not state the actual phone number or name the email account.
  • I like the 2 step, its a great idea,to use it.
  • Can someone please give a step-by-step guide how to activate this app and use it with Facebook? I've got it to work with Microsoft account and with Dropbox, but I can't seem to get it to work with Facebook ... :/  
    Update: I just found out how to do it myself! :D 
  • get in facebook security page. open two step verification. Then select  use codematic. click the link that said something like that "troubling with codematic?"  then it gives you a code. open your app add user name and add that code for code area. then write the generated code to facebook page. it is done
  • I removed the phone from my FB account and now it will not permit me to re-add it as two-step authentication. Had this problem when I originally set it up but can't for the lfie of me can't remember the fix. I do not own a smart phone but I could always receive SMS notifications.
  • Very cool, but it's got some annoying quirks. For example, logging into Skydrive I'll get a text with the verification code. The actual code is cut off in the notification, so I'll select it to view the actual text. When I go back to Skydrive I'm booted out of the sign up and have to start over, meaning a new code is sent. Eventually, I realized that I could rotate the phone and see the entire code revealed that way. But if the app doesn't support rotation and restarts the signup you're probably screwed.
  • this is why i turned 2step off. i couldn't get it to work on my phone for the same reason. you cant go get the code and come back, you end up in a never ending cycle.
    come on microsoft, at least make your technology work with your technology.
  • Same issue for me but trying to verify skydrive using the authenticator app. Every time you flipped back to skydrive it restarted the login. Ok, i managed to write down the code and the go back but unless these systems are slicker people will not bother with them
  • Same issue with PhotoSynth, except it doesn't support landscape orientation. I ended up using the Authenticator, waiting for a new code (so it would be valid for enough time), quickly memorizing it, going to PhotoSynth, logging in, when it got to the second half of the two-step, tapping "use another method" (ignoring the text message) and selecting the authenticator option, and entering the code I memorized earlier.
    Yeah, a bit of a pain. ;)
  • Hmm, the two "" links are pointing to: *removed* ^^
    edit: you re welcome, I removed the link ;)
  • Weird. Let me fix them. Thanks.
  • 2 step is a necessary PIA short term. I hate using RSA fobs but sometimes this stuff is necessary. Wallet users will want two step until facial recognition and/or  biometrics and 8 key pins and phone generated  QR scan codes combine to replace it.   Biometrically locked devices :)
  • Well, I wouldn't say facial recognition. It's been proven to be an insecure, ineffective security measure that's easily thwarted by a photograph.
  • It wants me to unlink my accounts to use this? Don't know if security is more important than linked Microsoft accounts :|
  • I agree with you...I would love to have 2 step authentication to make it more secure...but unlinking my Microsoft accounts is a deal breaker for me...
  • Same here. Really like to enable the new authentification but can't give up on linked accounts. I'll switch as soon as linking will be possible again.
  • doesn't work for facebook? anyone know how to use this for facebook?
  • From skytaker above: "get in facebook security page. open two step verification. Then select  use codematic. click the link that said something like that "troubling with codematic?"  then it gives you a code. open your app add user name and add that code for code area. then write the generated code to facebook page. it is done"
  • Well i couldnt find two step verification in the security page :S
  • İn Security click edit for login approvals then select code generator\codematic
  • Not working for me either. What should I enter as the secret key for the app?
  • Get facebook Security login apprrovals and then act like using android. Learn how to use code generator. Then click The little link that says "trouble with code generator?" (or something like that ı dont remember exact words) when you click it. It gives you a user code. Enter it in your apps secret key area.when app start giving codes. Enter it your Facebook. it is done
  • Ah didn't see the having trouble link. Thanks for the tip!
  • after i activated two-step activation, my MS account stopped syncing with my phone, giving a wrong password error. it was only after i deactivated the two-step verfication, it allowed me to sync again.
    so i'm not using this app anymore.
    maybe if they fix the sync issue some time, i'll get back.
  • Did you use an app password for your phone?
  • Tried to get an app password and I don't even see where the option is on that page
  • App passwords are under 'security info'. You might need to scroll down on the page if your display isn't high enough. It's there and it works. Confrimed with my account yesterday and another friends. 
  • it's there in the account settings on if i'm not wrong. did set it up. i showed that the authenticator app is registered with my account.
    i tried to then log in with the security key generated by the app, and also from my normal MS account password. neither worked.
    it all seemed like a big hustle bustle so i ultimately left it.
    will try it out again sometime later.
  • Same thing happened to me.. As soon as I activated the two-step process, I was getting an error message whenever I tried to download anything (apps, music, etc) saying that my Microsoft account password isn't working. as a matter of fact, I couldn't even download the authenticator app after switching to the two-step process.. Instant fail in my opinion.. I already figured that it may be a slight extra hassle but being that big of a hassle right out of the gate is inexcusable...
  • To get your phone or Xbox to work after enabling two-step verficiation you need to enter an 'app password' in place of your Microsoft account password. You can generate an app password under 'secuirty info'. 
  • hey Sam, is this app password a one time enter  only? or do we have enter it multiple times?