Microsoft Rolling Out Two-Step Security Option

Eric Doerr, Group Program Manager of Microsoft Account, confirmed on Wednesday the addition of an optional two-step verification process that will be made available in a major upgrade to the Account service rolling out in the next few days.

There has been a growing need for a two-step system since the launch of Windows 8, Windows RT and Windows Phone 8 which rely on a single user account. This new system will provide an additional layer of security, requiring users to enter a unique code sent to a phone or email in addition to the typical user name/password combo.

Why do we need this? Here's a good personal example. In 2011, my Google account was hacked by a company in the mid-west because I was merely using a user name and password to gain entry. This company used my account to make overseas calls via Google Talk. Given that the account stored my credit card information via Google Wallet, the fees were leeched straight from my bank account. Now I use a two-step process to access my account (although it's a pain), and Google reversed all the charges.

Thus, in an era where seemingly nothing is secure, a two-step verification process is a necessity. Microsoft realized this more than a year ago, requiring a two-step process for activities like editing credit cards and subscriptions at and, and accessing files stored on from another computer. These will always require a two-step process.

But Windows Account is designed to store personal settings, contacts and other information in the cloud, and accessible to any platform or service that relies on this central point of data. Thus, imagine a hacker gaining access of a Windows Account and locking the owner out of their desktop, laptop and/or mobile device. Even more, they could gain access to files stored on SkyDrive. This is why a two-step process is vitally important.

"We’ll verify that you have at least two pieces of security information on file (it’s always good to have a second in case you lose the first)," Doerr said. "If you have a smartphone, we’ll help you set up an authenticator app, which allows you to receive two-step verification codes even while offline (very useful on vacation and to avoid messaging fees). The next time you sign on, you’ll be prompted for a code."

According to Doerr, this new verification system works for Windows 8, any Web browser, and even Microsoft apps and services on iOS and Android devices. For those apps and devices that don't directly support two-step authentication (like the Xbox 360), users will need to set up a password that's unique to each application or device. Google offers something similar, requiring users to create a security key that provides a long string of numbers and letters that must be used in place of the account password.

"For Windows Phone, we’ve released a Microsoft Authenticator app," he said. "The app supports a standard protocol for two-step verification codes and can be used with your Microsoft account and other systems that support two-step verification codes, like Google and Dropbox. The advantage of authenticator applications is that they use advanced cryptography to generate codes to access your account without the need to be online."

There are also excellent authenticator apps that already exist for non-Windows Phone platforms that are compatible with Microsoft Account's two-step verification, he said.

For more information about the new two-step process, and how to activate it on your account, head here. Authentic Fists of Steel are not included.

Contact Us for News Tips, Corrections and Feedback

  • STravis
    Does this cover Skydrive? And are the items in the cloud going to be fully encrypted? Currently skydrive data isn't encrypted at rest (only during transmission) so if their servers get hacked, so does your data.
  • ankit0x1
  • Timmy225
    Next up MS will offer no used games, always on internet and camera (spyware) required to play anything and pay to play Xbox live with no Blue Ray drive on their upcoming Crapbox 720.
  • velocityg4
    Alternatively you can just not link your desktop to an online account. Which sounded idiotic to me in the first place. Nor will I trust important financial data to the cloud. I'm just waiting for the day when we start hearing reports of how hackers gained a back door access to Skydrive, Google drive, &c. Then spent weeks or months undetected sifting through petabytes of personal data of millions of people. Building the penultimate list for identity theft.
    Sure my computer is no more secure except by obscurity. My computer is some pointless little trifle sitting in the recesses of the Internet. While these companies are great shining beacons attracting hordes of hackers from around the world. Existing in a state of constant siege. With thousands of attackers constantly searching out cracks in their fortifications.
    The only way I would even consider trusting data is if it was fully encrypted on their end. Meaning if I lost the password the data would be irretrievably lost. Just like files encrypted on my desktop.