Microsoft prepping 2-step authentication for Accounts, already have a Windows Phone app

By Daniel Rubino
last updated

Two-step authentication, the process whereby you use more than just a password to verify an account, is increasingly an important security tool desired by not just enterprise but consumers. Google has had with Gmail for a few years now, and Microsoft is on the cusp of releasing their version as well.

LiveSide.net is reporting that the service will be integrated into existing Microsoft Accounts (Outlook.com, Hotmail, etc.) though those with linked accounts may have to un-link and the re-link them to get it to work.

Interestingly, the app for this feature is already on the Store for all Windows Phone devices (7.x and 8), and it will serve as the conduit to generate these codes. For those who use Gmail, you may be used to having “verification codes” texted to you, which can be problematic if traveling or switching SIMs (Google does provide fallbacks though). With the Authenticator app, once linked to your account you will be able to generate security codes for account access which will then be verified for by Microsoft before you can login from a non-trusted PC.

The whole system seems quite easy to use (once it goes live), and it should bring Microsoft up to speed with those who demand more in security than a simple password.

You can download the Authenticator app for Windows Phone here, though without the corresponding service enabled by Microsoft on your Account, it’s of little use at the moment.

Source: LiveSide.net

QR: Authenticator

Daniel Rubino
Daniel Rubino
Executive Editor

Daniel Rubino is the Executive Editor of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft here since 2007, back when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, Microsoft Surface, laptops, next-gen computing, and arguing with people on the internet.

40 Comments
  • Nice :)
  • good, no more hacking from toronto for me.
     
    on a different note, where the hell is instagraph?
  • We received release notes today, that's all I say for now.
  • What can you say about this? http://www.plaffo.com/2013/04/instagraph-prezzo-e-nuove-info-in-attesa-che-sia-disponibile-al-download-anteprima/
  • Mamma Mia!
  • "Some apps don't work with these security codes (the mail app on your phone for example)" I'd have to hope that they're working on getting that stuff supported, since it slightly defeats the purpose if you have to have a million app-specific passwords.
     
    Still, it's a good step, seeing as Microsoft already used two-factor authentication for some pages, but not others (albeit via a texted code).
  • In that case, you will be able to generate a tailored "app password" on the site for that service, much like using Gmail on Windows Phone now with 2-step enabled.
  • Yes, that's what I'm talking about.  I'd rather the phone really supported two-factor, as opposed to the app passwords.  Needing a bunch of app-passwords that bypass two-factor defeat the purpose of two-factor authentication in the first place.
  • +1! I've been angry with Google for years over this. You'd figure that their own OS would support two factor authentication, but no...
  • I see this becoming the only way to sign into certain services in the future.
     
  • @ least this is better than their 2 step via email/sms(dont think sms is supported anymore though) it starting to get annoying to have to do this everytime i need to add msp for xbl using website
  • I really hope everyone makes an app for each platform to do this. How much would it suck if that a major player that goes to two-step process for their services *cough* Google *cough* and then refused to make an app for say... Windows Phone...
     
    I can already seeing this being a headache with all the different little apps that will be part of the authentication process.  I already have a Blizzard Authenticator for SC2... Who knows how many of these apps will exist in the future...
  • There's already three separate apps that support Google Authenticator, one of them being Microsoft's own app that is mentioned in this post.
  • We need this! It is very big security improvement!
  • Now where is the Steam app? I want this feature and remote buy of course to be on WP!
  • Would like one for Xbox 360, find it really hard buying games on the webpage on my phone
  • Why would you need text for using GMail 2 factor authentication? There are multiple third party apps in WP marketplace(one such is Authenticator 3rd party app) which already supported GMail code generation. Just select Android as your phone in GMail settings, get the key and add it manually in the app. 
    Also most such apps support Facebook, Dropbox and other services which uses a common standard for generating codes as well.
    In Facebook, just select Android and click the "Having problem?" link in the next screen which will get you the key. In Dropbox, it's straight forward. 
     
    Edit: Just noticed that Microsoft also supports the common standard. Yay! All good for a single app. You don't even need the new Microsoft app if you already use any 3rd party app. Or you can migrate all everything to this new app by Microsoft.
  • I don't think I'd feel comfortable using a 3rd-party app to manage sensitive information like this. I'd prefer to use SMS for Google over a 3rd-party app.
  • Understand your concern and respect your decision. Everyone is not me.
    I myself is little paranoid but this third party app getting hold of my password is very slim and I'm not giving my password to them just the key. Both needs to be available to them to access my account. Also, I don't give my email address or service name to the app. Just A, B, C as the identifiers. Chance of them matching the code to a single email address is almost impossible unless they have other ways of knowing my email address.
    But if  you use the email address in the app, and they upload the email address and keys to some public database or something where hackers can cross reference the codes after they get hold of your password somehow, I see your concern. But to be honest, it's a very stretch.
  • Most def
  • He was great on Dexter!
  • Anyone else miffed by the standard default loading screen of the new app by Microsoft? 
    Microsoft guide for apps pointedly say to not use the default loading screen for all 3rd party apps and sometimes even mocks them but still they themselves use it. 
  • Well, they aren't third party lol
  • I noticed that right away. It seems hastily put together. The "tap the plus icon" verbiage also seems odd.
  • MS already uses something similar to this within their SkyDrive in order to access your pc if you're away from home. I get a text with a code and that allows me to access my home pc files from work. Or have i missed the point? UK
  • You're not. I get the text outside of trusted PCs as well. 
    But this makes you avoid the text(which costs many here in US) and also follows an industry standard way of generating codes.
  • Finally. I've been waiting and this makes me happy. Now if Valve will join the proper auth party.
  • Thank you!  Its about time.  The 2 step authentication with Gmail is the one area where I admitted Gmail was better than Live mail.  One of my wifes Live accounts just got hacked a week ago.  Granted her password was pretty week.  But its a nor brainer than this service should be implemented and keep people from logging into my account from Nigeria without entering a code of some kind.
  • Why does the app need access to the camera?
  • Scanning QR codes.
  • I believe this is more commonly known as Two Factor authentication rather than Two Step...
  • Good thing for them Google is not Apple, or they would get so much sued....
  • Good. I have had my Xbox Live account hacked twice. We need this.
  • Nice!
  • As someone who just got hacked resulting in all my friends getting some stupid email with a link seemingly from me, I welcome this feature.
  • The App is not useless for now, it implements an open standard, you can already use it for 2-factor-authorization for Dropbox, Google and some other things like my favourite German Bitcoin-Exchange.
  • ha, it worked. Just choose Android, scan the QR Code. Done. Screw Google Authenticator! :))
  • Hope this feature is released soon! I love that I can use this app on my google account also (I never bothered with it before now). I suddenly feel more safe already. :D
  • I can't dload apps after implementing this. Anyone else experienced this?
  • me