Microsoft Account Gets More Secure

Over the next couple days we will roll out a major upgrade to Microsoft account, including optional two-step verification to help keep your account more secure.

Microsoft has increasingly focused on delivering connected devices and services that are currently used by more than 700 million people around the world. A Microsoft account is the key that unlocks your experience across these products—from your Windows PC to your Windows Phone, from Xbox to, from SkyDrive and Skype to Office and much more.

Given this critical role for Microsoft account, we remain vigilant in working hard to protect your account, which is why we’re adding an option so you can enable two-step verification to further protect yourself. You should see this option show up in your account in the next few days. You can enable this capability at

One account connects your digital world

A Microsoft account makes your experiences on devices and services more personal and relevant. When you sign in to any device or service with your Microsoft account, your personal settings, contacts and other information meet you there. It keeps you connected to the people you care about on Facebook, Twitter, LinkedIn and other services. It all just works, wherever you go.

· Communicate with your inbox and calendar, and with Skype video chat.

· Entertain yourself with games from Xbox Live, Xbox Music and Xbox video.

· Access to all your photos, videos, docs and other stuff through SkyDrive.

· One set of people from the networks you use, like Facebook, Linked In, Twitter and more.

· Unlock personal productivity with Office.

Optional two-step verification keeps you more secure

However, with all this potential, criminals increasingly target customers online (across all major account systems), and so we constantly update our services to try to stay a step ahead and help keep you safe. Most of that work is behind the scenes — we stop millions of fraud attempts every day without any visible impact to you. But some people have asked for more tools to better protect themselves — and we’ve been hard at work coming up with an experience that does just that.

This release enables optional two-step verification for your entire Microsoft account. Two-step verification is when we ask you for two pieces of information anytime you access your account — for example, your password plus a code sent to a phone or email on file as security info.

More than a year ago, we began bringing two-step verification for certain critical activities, like editing credit cards and subscriptions at and, or accessing files on another one of your computers through For these scenarios, two-step verification is required 100 percent of the time for everyone, given the sensitive nature of these tasks.

With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account. It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.

We’ll verify that you have at least two pieces of security information on file (it’s always good to have a second in case you lose the first). If you have a smartphone, we’ll help you set up an authenticator app, which allows you to receive two-step verification codes even while offline (very useful on vacation and to avoid messaging fees). The next time you sign on, you’ll be prompted for a code.


Figure 1: Two-step verification setup

To get started, go to

Works everywhere you use your Microsoft account

Two-step verification protects you everywhere you use your Microsoft account; on Windows 8, any Web browser, and even Microsoft apps and services on iOS and Android devices.


Figure 2: Two-step verification challenge using a web browser


Figure 3: Two-step verification challenge on Windows 8


Figure 4: Two-step verification challenge on iOS

If you have an app or device that doesn’t directly support two-step verification (like your Xbox, or setting up email on your smartphone), you can still use two-step verification. For these devices, we’ll help you set up an app password unique to each application or device.

Easy offline access through Microsoft Authenticator

For Windows Phone, we’ve released a Microsoft Authenticator app. The app supports a standard protocol for two-step verification codes and can be used with your Microsoft account and other systems that support two-step verification codes, like Google and Dropbox.

The advantage of authenticator applications is that they use advanced cryptography to generate codes to access your account without the need to be online. This is especially helpful if you’re on vacation and don’t want to pay high roaming fees to receive text messages or phone calls.

If you don’t use a Windows Phone, there are excellent authenticator apps that already exist for those platforms and are compatible with Microsoft account two-step verification.

Easily setup your favorite devices to make it easy to login

On devices you use regularly, you can select an option to not ask for security codes. This makes two-step verification painless — you use a code sent to a phone or email only once (per Web browser per device) and we remember that device in the future. If you don’t use the device for 60 days, we’ll prompt you for a code again for your security.

Previously we had a notion of trusted devices that was similar but only worked for IE and required you to manage a list if you had too many devices. With this release we’ve simplified things — you can skip codes on all modern browsers across major platforms, and you never have to manage the list. If you ever lose or sell a device, you can still choose to revoke these “trusted devices” by going to your security settings on

Keep your security info current to make recovery a breeze

Two-step verification is a great tool to help protect your account, but it does require you to be careful to keep your account up to date. If your security information changes (phone or alternative email), it’s important to update your Microsoft account before you get rid of the old info.

If you know your password but lose access to your secondary security proof, customer support cannot update it for you. Your only option is to go through a recovery process that enforces a 30 day wait before you regain access to your account – to ensure someone malicious hasn’t used this as a way to take over your account. And if you lose access to your password AND all your security info, you will not be able to regain access to your account.

We consider it an important responsibility to help enable all the things you want to do with Microsoft devices and services, while keeping your account safe and for your eyes only. The steps we’ve announced today are an important part of this commitment. Let us know what you think as you try them out!

Posted by Eric Doerr
Group Program Manager, Microsoft account