Eric Doerr, Group Program Manager of Microsoft Account, confirmed on Wednesday the addition of an optional two-step verification process that will be made available in a major upgrade to the Account service rolling out in the next few days.
There has been a growing need for a two-step system since the launch of Windows 8, Windows RT and Windows Phone 8 which rely on a single user account. This new system will provide an additional layer of security, requiring users to enter a unique code sent to a phone or email in addition to the typical user name/password combo.
Why do we need this? Here's a good personal example. In 2011, my Google account was hacked by a company in the mid-west because I was merely using a user name and password to gain entry. This company used my account to make overseas calls via Google Talk. Given that the account stored my credit card information via Google Wallet, the fees were leeched straight from my bank account. Now I use a two-step process to access my account (although it's a pain), and Google reversed all the charges.
Thus, in an era where seemingly nothing is secure, a two-step verification process is a necessity. Microsoft realized this more than a year ago, requiring a two-step process for activities like editing credit cards and subscriptions at commerce.microsoft.com and xbox.com, and accessing files stored on SkyDrive.com from another computer. These will always require a two-step process.
But Windows Account is designed to store personal settings, contacts and other information in the cloud, and accessible to any platform or service that relies on this central point of data. Thus, imagine a hacker gaining access of a Windows Account and locking the owner out of their desktop, laptop and/or mobile device. Even more, they could gain access to files stored on SkyDrive. This is why a two-step process is vitally important.
"We’ll verify that you have at least two pieces of security information on file (it’s always good to have a second in case you lose the first)," Doerr said. "If you have a smartphone, we’ll help you set up an authenticator app, which allows you to receive two-step verification codes even while offline (very useful on vacation and to avoid messaging fees). The next time you sign on, you’ll be prompted for a code."
According to Doerr, this new verification system works for Windows 8, any Web browser, and even Microsoft apps and services on iOS and Android devices. For those apps and devices that don't directly support two-step authentication (like the Xbox 360), users will need to set up a password that's unique to each application or device. Google offers something similar, requiring users to create a security key that provides a long string of numbers and letters that must be used in place of the account password.
"For Windows Phone, we’ve released a Microsoft Authenticator app," he said. "The app supports a standard protocol for two-step verification codes and can be used with your Microsoft account and other systems that support two-step verification codes, like Google and Dropbox. The advantage of authenticator applications is that they use advanced cryptography to generate codes to access your account without the need to be online."
There are also excellent authenticator apps that already exist for non-Windows Phone platforms that are compatible with Microsoft Account's two-step verification, he said.
For more information about the new two-step process, and how to activate it on your account, head here. Authentic Fists of Steel are not included.