[shared via Google Reader from gHacks Technology News | Latest Tech News, Software And Tutorials]
To protect user accounts from being hacked, phished, social engineered or stolen by other means, companies and businesses from all over the world have started to deploy a technology that is commonly referred to as two-factor authentication. This adds a second layer of authentication to user accounts so that it is no longer enough to just have the user’s username and password to access an account. The second layer is usually a code that is generated in realtime using a device or application that is in the user’s possession.
Most companies seem to favor apps that users can run on their smartphone while some will use local devices that generate codes on demand or messages that are sent to the user’s mobile phone or email address when a user tries to log in to a service.
Microsoft announced the roll-out of an upgrade to Microsoft accounts just a couple of minutes ago that enables Microsoft users from all over the world to enable two-step authentication to improve their account’s security even further. The feature will be rolled out over the next couple of days. You can check the Security Info page after logging in to your Microsoft account to see if your account has already been enabled for the feature.
If you enable two-factor verification (it is just another phase for the same thing), it will be enabled for all of the services that are linked to it. Microsoft previously used two-step authentication for sensitive account related changes only, like editing credit card information or subscription information.
The Security info page offers a short description of the new security feature and links to learn more about it and set it up.
Two-step verification makes it harder for a hacker to sign in to your account with just a stolen password. Set it up to help keep your account more secure.
You need to have two security information on file, an email address and mobile phone number for instance to use the two-step verification process. Windows Phone users can download and install the Microsoft Authenticator App to generate the codes needed for the second verification step. Microsoft notes that most authenticator apps for other platforms are compatible with Microsoft’s two-step verification but fails to recommend any.
It appears that the security feature not only supports the generation of codes using applications, but also via text messaging and apparently even phone calls. The benefit of using an app is that it is free of charge and available locally even if no Internet connection is available.
While many Microsoft programs and services support two-step authentication processes some do not. You need to generate so called app passwords for those services that you use instead. This is similar to Google’s app password feature where you can create single-step authentication passwords for devices that are not compatible with the authentication method yet.
The trusted devices list received new functionality in this regard as well. Microsoft can remember devices that you use regularly so that you do not have to enter the security code on every log in to the system. Permissions can be revoked at any time on the security settings page of your Microsoft Account (use the link above pointing to the Security Info page to get there.
What happens if you cannot access the device or account anymore that generates or receives the security codes? The only option in this case according to Microsoft is to go through a recovery process that enforces a 30 day wait period on you before access to the account can be regained. This is done to prevent hackers and malicious users from taking over the account using the feature. If you can’t remember the password and do not have access to your security information anymore, you cannot regain access to the account.
Adding two-step verification to Microsoft accounts is a step in the right direction and it is highly recommended to enable it as soon as the feature becomes available. You do need to make sure that your information, email and phone number, are always up to date so that you will never run into recovery issues if the need arises.