Microsoft adopts two-step authentication (finally)
I highly recommend two-step verification for major online accounts, even though the process sometimes is a real hassle. I've long ago applied the security measure to my Google account, but Microsoft offered no option. Hell, even Apple beat the software giant with the measure. That starts changing today.
"Over the next couple days we will roll out a major upgrade to Microsoft account, including optional two-step verification to help keep your account more secure", Eric Doerr, Microsoft Account group product manager, says. The logistics are similar to Google's -- two-step verification most places, application-specific passwords elsewhere and tool for generating authentication codes.
In fairness, two-step authentication isn't completely new, just widespread availability across Microsoft products and services. Where fully supported, process is simple. Jack Consumer logs into his account and is stopped for additional verification, which can be a code dynamically generated using the Microsoft Authenticator app or one sent to a pre-designated cell phone. Entering the code provides access, which typically is a one-time process per device or app running on it. However, devices not used for 60 days will trigger new verification.
"The advantage of authenticator applications is that they use advanced cryptography to generate codes to access your account without the need to be online", Doerr says. This is especially helpful if you’re on vacation and don’t want to pay high roaming fees to receive text messages or phone calls". But you're out of luck if among the majority of people using Android or iPhone. "There are excellent authenticator apps that already exist for those platforms and are compatible with Microsoft account two-step verification", he adds without identifying what they are.
Using the feature is "your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy", Doerr says. I'd like to see a day where two-step verification is required.
Consider that Google and Microsoft now require a respective account to access devices running their software, such as Chromebook, Google TV, Windows PC or Xbox, and services like Drive, Office 365 or SkyDrive. Two-step verification protects your single sign-on account, as well as apps, devices and services, since someone seeking unauthorized access would generate a code sent to your phone that you see and they don't.
There is also huge end-user risk if the security mechanism isn't properly managed. Doerr explains:
It does require you to be careful to keep your account up to date. If your security information changes (phone or alternative email), it’s important to update your Microsoft account before you get rid of the old info.
If you know your password but lose access to your secondary security proof, customer support cannot update it for you. Your only option is to go through a recovery process that enforces a 30 day wait before you regain access to your account -- to ensure someone malicious hasn’t used this as a way to take over your account. And if you lose access to your password AND all your security info, you will not be able to regain access to your account.
I'll set up two-step autentication as soon as Microsoft enables the feature for my account. Will you?