Following similar initiatives by Apple, Google and Facebook, Microsoft is enabling two-factor authentication for its Microsoft Account service, the log-on service for many of its online and desktop products.
"With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account," wrote Eric Doerr, Microsoft Account group program manager, in a blog entry announcing the secondary authentication. "It's your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we've worked hard to make set-up really easy."
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
With two-factor authentication, a user logging in to a service or device supplies a second piece of information in addition to a password, thus making it impossible for another party to gain illicit access to the user's accounts without all the separate pieces of information. Microsoft is using additional verification methods such as a short code sent to the user's mobile phone, which is then entered in addition to the password, or by asking the user to supply additional information, such as an alternative email address.
Microsoft Account, formerly called Windows Live ID, is a single sign-on Web service to authenticate users of Outlook.com, SkyDrive, Skype, and other Microsoft services. It can also be used as an authentication mechanism for Windows PCs, the Xbox, and Microsoft Office. Overall, Microsoft has over 700 million users registered to Microsoft Account.
Users will find instructions on how to add a second form of authentication on the Microsoft Account settings page. The chief form of secondary authentication will be a short code sent to the user's mobile phone, the number of which Microsoft will keep on file, each time the user logs on.
As an alternative to security codes, Microsoft is providing a number of other forms of authentication as well. For smartphones, users can deploy an authenticator app. Microsoft has released an authenticator app for Windows Phones, and third-party authenticator apps can be used for other platforms. For those devices that do not directly support two-factor authentication, such as the Xbox, users can get a secondary password, one unique to each device.
Microsoft can also keep a list of trusted devices designated by the user. With such devices, users enter a security code once and have that device remembered in future visits, eliminating the need to enter the security code for each log in. Microsoft currently offers this capability, but only with Internet Explorer and the use of additional software. Users can manage their list of trusted devices through their account settings page.
Doerr cautioned that, though more secure, two-factor authentication can be more difficult to manage. Losing a security code results in a 30 day wait for a new code. And Microsoft is asking for at least two pieces of information on file, in case one of the pieces is lost or forgotten. And if the user loses both the password and all the security information, he or she will not be able to access the account again.