HAVING finally enabled two-factor authentication (a.k.a. two-step verification, multi-factor authentication and probably a dozen other variants) on a Google account, I turned my attention to my Microsoft account, which in theory can be used for Outlook email, Office 365, logging in to Windows devices, Xbox and the like – so it’s important to make it secure.

To underline this, a recent phishing attack aimed at Office 365 users lured them into entering login credentials on a fake web site. Once the criminals had those credentials, they could log in as that user from any computer – unless two-factor authentication was turned on, of course! Because then, the baddies would be asked for a code which they couldn’t supply (unless they’d also managed to hijack whatever method is used for the second factor – which, as I keep saying, is possible but unlikely).

To set this up I started from this Microsoft article then followed the instructions. It wanted me to use the Microsoft Authenticator app, but given my bad experience with Authy, I declined. I set up three options for the second factor:

  • Email (not the Microsoft email, obviously)
  • SMS (yes, I know it’s potentially insecure but way better than nothing and quite unlikely to be hacked unless someone was specifically targeting me)
  • A recovery code, for use if neither of the above are available. As with 2FA for my Gmail, I stored this code safely in my password manager.
microsoft_2fa
Microsoft 2FA in action

As with Gmail, I had to log back in to my email apps on my phone and iPad. In each case, I requested the second factor code be sent by email, although I could have chosen SMS. Microsoft warns that certain email apps may not be able to cope with 2FA (in which case something called an “app password” becomes necessary), but the ones I use clearly can. I won’t have to enter a code each time I use the account on those devices because they’re “trusted”. Arguably this makes them vulnerable if someone unauthorised gets access to the devices, but the bigger risk is always credential theft, where someone will try to log in on a different (untrusted) device. I also had to re-confirm the account on my Windows PC.

Only about another half-dozen accounts to go!

UPDATE 8/11/18: I needed to verify my Microsoft account in order to log in on someone else’s computer. I selected the SMS option (although email is arguably safer) but never received the text message. I tried again; still no text. So I switched to requesting the code by email, which worked immediately! That’s a little disconcerting…

Advertisements