Don’t let the shit hit the fan. Configure 2FA for your MSA.
If you’re using a Microsoft account (MSA), you need to secure it with two-step verification. And then use an authenticator app to make it painless.
I discussed this and other Microsoft account security features recently in First Steps: The Proper Care and Feeding of Your Microsoft Account. If you haven’t, please read that article now, paying particular attention to the “Review and edit MSA security features.”
Note: Two-step verification is basically Microsoft’s name for two-factor authentication (2FA). While they are not technically the same, for purposes of this discussion, these terms are interchangeable.
Here’s how to enable 2FA for your MSA.
Open a web browser on your PC, navigate to the Microsoft account website at account.microsoft.com, and sign-in as required. Then, select Security from the menu at the top.
From the Security page, select “more security options”. On this Additional Security Options page, you will see a section called Two-Step Verification. Select the link “Set up two-step verification.”
This launches a web-based wizard which will help you enable 2FA and warn about the the older devices, apps, and services (Windows Phone 8-based phones, Xbox 360 and a few other older things) that do not support 2FA and will thus require an app password (which you can generate on the fly from the Microsoft account website).
By default, 2FA will rely on whatever security info you configured for your MSA. That is, you can choose to approve sign-ins via whatever configured email address(es) or phone numbers (via text messaging) you have listed under the “Security info helps keep your account secure” section on the MSA Security Settings page.
But there is a better way.
Instead of relying on emails or text messages, you can approve sign-ins using an authenticator app on your phone. Your MSA will work with virtually any high-quality authenticator app—like the versions from Google and LastPass—but I strongly recommend using Microsoft Authenticator, which is available on Android, iPhone, and Windows phones. Why? Because this app offers a much easier way to approve sign-ins than other authenticator apps.
To configure an authenticator app, locate the “Identity Verification Apps” section on the MSA Security Settings page. Then, select the link “Set up identity verification app.”
This launches a web-based wizard which first prompts you for the type of phone you’re using: Windows Phone, Android, iPhone, or Other. Then it will prompt you to install the Microsoft Authenticator app (which you should, though again you can use other authenticator apps too).
Now, open the authenticator app on your phone. (I will assume you’re using Microsoft Authenticator, but the steps are similar for other apps.) Tap the “+” button in the top right of the app and then select “Personal account” from the account type list. Then, sign-in to your Microsoft account.
Note that you’ll need to approve this sign-in using a method (email, text message) that was previously configured this one time. Once you do so, your Microsoft account will appear in the list of accounts in the app’s main view.
You will need to use the authenticator app when you sign-in with your MSA account on a new device, web browser, or similar. And then you will need to re-authenticate every month or so. With the Microsoft Authenticator app, you can simply approve requests directly from the phone, which is much simpler than the old way: You’ll see a pop-up notification that you can approve.
(With other authenticator apps or with other account types, you can type in the code that is generated by the app for each account. There is a new code generated every 30 seconds.)
And now you’re good to go: With 2FA configured on your MSA and by using an authenticator app on your phone, you have the best of both worlds: Better security and great usability. And if you don’t have your phone with you at some point, you can still use those other methods to authenticate sign-ins as a backup.
