Leak shows two-factor authentication is coming to Microsoft Accounts

It looks like Microsoft is finally getting on board with two-factor authentication for Microsoft Accounts, after leaked images seem to show the feature nestled within the Security info settings tab. LiveSide is reporting that the two-step verification method will require you to enter a code provided by a special Authenticator smartphone app to access your account, in addition to entering your regular account password.

The app, which is already available in the Windows Phone Store, states that you'll be able to easily link your Microsoft Account to the Authenticator app through "scanning a barcode or by manually entering a secret key", and "industry-standard security code generation" has been implemented to keep you secure. A screenshot of the Microsoft Account website indicates an app will be available in the stores for iOS, Android and BlackBerry.

LiveSide is reporting, however, that two-step authentication is not currently compatible with people who have a linked account, as you have to unlink all accounts before having the option to set up two-step. There's also an issue with two-step verification support across some apps that use Microsoft accounts, eg. third-party mail applications, so Microsoft will be providing an "app password" that you can generate on the Microsoft Account website and use instead of your regular password.

As the Authenticator app has already appeared in the Windows Phone Store it looks like two-step verification may be available very soon, although there is no concrete word on when we can expect it, nor have Microsoft officially announced such a feature. It will definitely be a welcome feature to bolster account security though, bringing Microsoft Account authentication up to the same level available currently in Google and Apple ID accounts.

Source: LiveSide

Report a problem with article
Previous Story

Whatsapp: We're not holding sales talks with Google

Next Story

Chinese state-run media criticizing Surface Pro warranty

54 Comments

Commenting is disabled on this article.

I hope they fix the issues with linked accounts. I also hopes there's an option for those that prefer to be sent an SMS text with the passcode instead, because not everyone has a smartphone to download an app on.

I'd rather have yet another app on my phone which I use less than once a year...
A password only is fine for me, hell even having two passwords would be better than this!

Am I retarded or am I special (both? ) - Whenever I go into my account on Xbox Live or whatever, a SMS gets sent to my phone and I gotta type that in to get further? Isn't that 2 factor?

uh... I get a code on my phone I have to enter, in addition to my username and pwd, but only if I'm trying to edit the MS account info, e.g. payment info, personal info. Isn't that 2-factor? If so, it's something that's been there a long time.

-adrian- said,
They should start to allow passwords longer than 16 figures... this would be a start to security

*facepalm*

-adrian- said,
They should start to allow passwords longer than 16 figures... this would be a start to security

These are the kinds of comments that reinstate how little the average user knows about security. There is about the same probability of hacking a Microsoft account password of 200 characters as there is of 3 characters. Heck, even a 2 character password isn't guessable and probably just as safe. I'm curious to know what part makes you think a greater than 16 character password is safer than a 6 character password? These passwords are salted, hashes then encrypted in memory with operations done within a locked down, firewalled, military grade network. To get there they then make their way across a FORCED SSL connection which admittedly is possible to crack (I'm talking deep level packet analysis with a man in the middle attack) but being able to crack it not a dependant variable of the password length.

Long password length has actually got many drawbacks:
- It takes way too much time to put in
- You are prone to a higher failure rate
- Can trigger packet overflow revealing packet nature and overflowing contents as raw text (Ok thats a bit extreme but you get the point)
- Gives a false sense of security leading to a poorer security in areas that actually matter
- Can open up stuff like SQL exploits if people can start injecting entire statements in the password field... (wouldn't happen on MS servers but that is why you sometimes see that website won't allow symbols in password fields)

According to you post i guess a 25 digit password is as safe as a 4 digit one right? because 2 way authenticator is the solution because man in the middle is always just on one machine - right?

ingramator said,

These are the kinds of comments that reinstate how little the average user knows about security. There is about the same probability of hacking a Microsoft account password of 200 characters as there is of 3 characters. Heck, even a 2 character password isn't guessable and probably just as safe. I'm curious to know what part makes you think a greater than 16 character password is safer than a 6 character password? These passwords are salted, hashes then encrypted in memory with operations done within a locked down, firewalled, military grade network. To get there they then make their way across a FORCED SSL connection which admittedly is possible to crack (I'm talking deep level packet analysis with a man in the middle attack) but being able to crack it not a dependant variable of the password length.

Long password length has actually got many drawbacks:
- It takes way too much time to put in
- You are prone to a higher failure rate
- Can trigger packet overflow revealing packet nature and overflowing contents as raw text (Ok thats a bit extreme but you get the point)
- Gives a false sense of security leading to a poorer security in areas that actually matter
- Can open up stuff like SQL exploits if people can start injecting entire statements in the password field... (wouldn't happen on MS servers but that is why you sometimes see that website won't allow symbols in password fields)


You do know M$ had a security breech with a lot of Xbox live accounts and swore up and down nothing happened. I am a system admin on my job, So making hard passwords is kind of my thing and yet even my account was compromised too. I don't have any faith what so ever in M$ account security. Its going to take something like 20 factor authentication for me to ever put my credit card online again with M$.

There's more than one solution to enhance security. Longer passwords is one of them as opposed to shorter less complex passwords. Spaces, case, and length can add security and make passwords easier to remember as they allow natural phrases that will prevent people from writing them down. The time to enter longer passwords is offset by the nature of natural phrases with proper sentence punctuation making them easier to remember and type.

THANK YOU Adrian, least someone said something smart here. People need to start to change. Password are Easy to crack, and any thing under 15 Characters is even easier, especially if you have local access.

I have trained multiple company staffs for years using PASS PHRASES..... These are extremely secure, easy to remember and you all the characters.

For instance.... I love my dog Spot.

This is a 19 character password that is EASY to remember and type. You are far less likely to make a mistake then using something like M!11!tia.

15 characters passwords are like locks. They only protect you from the good guys. The bad guys are coming at you full force, be smart and prepared.

ingramator said,

These are the kinds of comments that reinstate how little the average user knows about security. There is about the same probability of hacking a Microsoft account password of 200 characters as there is of 3 characters. Heck, even a 2 character password isn't guessable and probably just as safe. I'm curious to know what part makes you think a greater than 16 character password is safer than a 6 character password? These passwords are salted, hashes then encrypted in memory with operations done within a locked down, firewalled, military grade network. To get there they then make their way across a FORCED SSL connection which admittedly is possible to crack (I'm talking deep level packet analysis with a man in the middle attack) but being able to crack it not a dependant variable of the password length.

Long password length has actually got many drawbacks:
- It takes way too much time to put in
- You are prone to a higher failure rate
- Can trigger packet overflow revealing packet nature and overflowing contents as raw text (Ok thats a bit extreme but you get the point)
- Gives a false sense of security leading to a poorer security in areas that actually matter
- Can open up stuff like SQL exploits if people can start injecting entire statements in the password field... (wouldn't happen on MS servers but that is why you sometimes see that website won't allow symbols in password fields)

You are soooo wrong about how long passwords should be. 2 character passwords can be cracked in less than a second. 6 character passwords can be cracked in a few days. At the moment only 8 character passwords and up can't be cracked in a reasonable time. 9 character passwords take more than the universe has existed to crack (I am being absolutely serious about that).

So I feel i need to quickly explain how password cracking works because clearly you don't (or else you would absolutely never think a 2 character password is safe).

1. An attacker gains access to a database full of passwords. Passwords are hashed NOT encrypted typically on servers (Google hashing. It isn't a hard concept to understand).
2. The attacker grabs all of the passwords
3. The attacker the uses a cracking tool which uses various methods (brute force, dictionary, rainbow table attacks) to crack the passwords.
4. The tool works in the following way. Depending on the method(s) used it generates a password, hashes it, then compares it to the hashed passwords he stole earlier.
5. If any of the hashes match, he knows he cracked the password.

In a quick and dirty nutshell that is how password cracking works. I didn't go why it takes longer to crack longer passwords, but you can look that up yourself. Just know which each additional character a password takes exponentially longer to crack. Complexity also adds more time, but it is no where near as important as length.

siah1214 said,

*facepalm*

I am going to *facepalm* your *facepalm*

He's correct. The fact that they have any restrictions on the amount of characters you can use for a password is never a good sign.

ingramator said,
I'm curious to know what part makes you think a greater than 16 character password is safer than a 6 character password?

Probably the article neowin had a while ago about about the old NTLM passwords being easy to crack on modern hardware.
Forgetting of course we've all moved on.

Just made an account to tell you you're a ****ing idiot. Don't listen to this guy people. At least 8 characters and upper, lower case and characters.

cmplieger said,
Just made an account to tell you you're a ****ing idiot. Don't listen to this guy people. At least 8 characters and upper, lower case and characters.

So he's a ****ing idiot because he wants to use 16 characters? I agree with him. I don't like the fact they are limiting the character length at all

ingramator said,

These are the kinds of comments that reinstate how little the average user knows about security. There is about the same probability of hacking a Microsoft account password of 200 characters as there is of 3 characters. Heck, even a 2 character password isn't guessable and probably just as safe. I'm curious to know what part makes you think a greater than 16 character password is safer than a 6 character password? These passwords are salted, hashes then encrypted in memory with operations done within a locked down, firewalled, military grade network. To get there they then make their way across a FORCED SSL connection which admittedly is possible to crack (I'm talking deep level packet analysis with a man in the middle attack) but being able to crack it not a dependant variable of the password length.

Long password length has actually got many drawbacks:
- It takes way too much time to put in
- You are prone to a higher failure rate
- Can trigger packet overflow revealing packet nature and overflowing contents as raw text (Ok thats a bit extreme but you get the point)
- Gives a false sense of security leading to a poorer security in areas that actually matter
- Can open up stuff like SQL exploits if people can start injecting entire statements in the password field... (wouldn't happen on MS servers but that is why you sometimes see that website won't allow symbols in password fields)

Well, you're sure using a lot of big words to make it *seem* like you know something about security, but this and your previous statement clearly shows you know squat about it.

There are more holes in your arguments than an unpatched copy of XP.

Walrush said,

Well, you're sure using a lot of big words to make it *seem* like you know something about security, but this and your previous statement clearly shows you know squat about it.

There are more holes in your arguments than an unpatched copy of XP.

Wow. Guys this is not offline NTLM, this is serverside. If it was so easy to "crack" every persons credit card numbers would be stolen... I'm not even going to bother.

mnl1121 said,

You are soooo wrong about how long passwords should be. 2 character passwords can be cracked in less than a second. 6 character passwords can be cracked in a few days. At the moment only 8 character passwords and up can't be cracked in a reasonable time. 9 character passwords take more than the universe has existed to crack (I am being absolutely serious about that).

No YOU do not understand passwords. A salted password is impossible to crack be it 2 or 2000 characters. You need the salt to be able to crack them. Doesn't matter if you brute force or word dictionary all you will be cracking is the passwords + the salt. Don't even bother.

And what if the password is successfully phished or key logged, optically harvested, written down and stored under a keyboard, guessed through familiarity? The most notorious hacking we've known occurred over a call in to a help desk to reset a password ...

ingramator said,

No YOU do not understand passwords. A salted password is impossible to crack be it 2 or 2000 characters. You need the salt to be able to crack them. Doesn't matter if you brute force or word dictionary all you will be cracking is the passwords + the salt. Don't even bother.


I don't think you understand how or why salts are used.

One of the biggest advantages of salting is that you're altering the original password hash to prevent it from being looked up in raindbow tables. That way all brilliant users with the password 'password1' will get unique hashes.

However, the salt generated when creating the password must be stored, and is often so in the user table. When you log on, the system must use the same salt to verify that the password you entered was correct.

So if you use a 2 character password and the system appends a <insert whatever length> unique salt. ALL i need to log on to your account is the 2 characters.

ingramator said,

No YOU do not understand passwords. A salted password is impossible to crack be it 2 or 2000 characters. You need the salt to be able to crack them. Doesn't matter if you brute force or word dictionary all you will be cracking is the passwords + the salt. Don't even bother.


If you are able to obtain the hash, what stops you from being able to obtain the salt? Considering they are both stored in possibly compromised databases?

theyarecomingforyou said,
This coming not long after Microsoft told everybody that two-factor authentication was unnecessary.

It still is unnecessary. The only security it adds is physical. Anyone that thinks they are somehow safer using two factor authentication, shouldn't be using it. In some cases it can be exploitable or used as an exploitable asset for instance if you steal someones phone, you have access to their email but they don't because they don't have an authenticator... Anyway, Microsoft are doing this not because they deem it necessary but because some people have said they "want" it. Responding to customer requests is good, I for one don't want to volunteer for a ridiculous amount of hassle but if Joe or Pete want to then good luck to them!

theyarecomingforyou said,
This coming not long after Microsoft told everybody that two-factor authentication was unnecessary.

Wrong. First they said they do have it. You have a user name and a password. There is your two-factor.

theyarecomingforyou said,
So all the other companies that have implemented two-factor authentication are just doing it for laughs?

No, they're doing it because they are stupid. It's only good for people who reply to phishing emails with their username and password.

Or the millions of 1DI0Ts that write their passwords down.

Or use eBay or Paypal with direct access to their bank accounts.

Smartcard two-factor, Fingerprints two-factor, all of that nonsense is actually just a waste of time. Does nothing but placate demanding customers who know nothing.

Unless you work for the DOD and just want to waste money, it's just stupid, actually makes you less secure. We don't need digital certificates either. And sending passwords over the network in plain text is considerably faster as well.

OMFG.

/ssssssssssssssssssssss

I'm not sure that article says that I'm wrong. I don't actually disagree with it. It supports multiple factors (tokens, biometrics, etc.) and pass phrases. It's really only suggests it must keep evolving as hackers keep evolving.

Longer pass phrases are more secure than shorter ones. Two factor IS more secure than single factor. And as hacking weakens those, we need to continue to evolve and ad more criterion.

However, depending on the target, two-factor will protect most. Ultimately you cannot stop a determined hacker, at least not general users. You can make it more difficult than it is worth though.

I might have misunderstood your previous comment. I fully agree with what you just wrote, I just didn't agree with the previous comment saying two-factor was only good for those who reply to phishing emails or write their passwords down.

Two-factor also helps protect those whose passwords (even when hashed and salted) get leaked (and those are becoming alarmingly common) by at least providing yet another hurdle for the hackers to overcome.

It is also concerning that of many hacked websites lately, a lot of them don't seem to have salted the password before hashing them, making the leaks even worse. For users that find the password hashes leaked like that, two-factor auth can be a lifesaver.

Stebet said,
I might have misunderstood your previous comment. I fully agree with what you just wrote, I just didn't agree with the previous comment saying two-factor was only good for those who reply to phishing emails or write their passwords down.

Hahaha, understood. the /sssssssssssss was for extreme sarcasm. It was unbelievable to see the suggestion that two-factor is unnecessary and does nothing and that longer pass phrases offer no security benefits over short ones, etc. Really ludicrous, no wonder so many hacking attempts are successful. Clearly many here are vulnerable to a kid in his room with a simple dictionary attack on a password database.

ingramator said,

It still is unnecessary. The only security it adds is physical. Anyone that thinks they are somehow safer using two factor authentication, shouldn't be using it. In some cases it can be exploitable or used as an exploitable asset for instance if you steal someones phone, you have access to their email but they don't because they don't have an authenticator... Anyway, Microsoft are doing this not because they deem it necessary but because some people have said they "want" it. Responding to customer requests is good, I for one don't want to volunteer for a ridiculous amount of hassle but if Joe or Pete want to then good luck to them!

wow Is I can really say about that. Reading that made my IQ drop a few points. For anyone to say two-factor authentication is unnecessary, is, and i'm being VERY kind, WRONG!

warwagon said,
wow Is I can really say about that. Reading that made my IQ drop a few points. For anyone to say two-factor authentication is unnecessary, is, and i'm being VERY kind, WRONG!

I know, it's bizarre.

Stebet said,
It's my opinion that you are quite wrong MorganX.

Here's why: http://www.wired.com/gadgetlab...-mat-honan-password-hacker/

That's a really bad example. Because had he had two factor authentication turned ON in his gmail account it would have prevented the hack. Because with it on they don't let you see part of the recovery email address. After the hack happened, Apple has ENABLED Two-factor authentication. They also say when you turn that we we will never be able to reset your password for you.

Edited by warwagon, Apr 9 2013, 10:18pm :

I've been using Two-Factor Authentication for a while now with Google and Dropbox using Google Authenticator. Process was simple. Changed my primary device twice once was an upgrade, second was a bad charging port so I gotta replacement. Gotta say that putting it back on was simple.

Never been locked out of my accounts and I have piece of mind. For anyone to say it is unnecessary is extremely [insert what you like here] or they are a Microsoft fanboy and are ashamed to admit that Microsoft is finally doing the right thing here and they see it as +1 for Google for having it before Microsoft and Apple (they simply can't have that).

Take your pic on what camp you are in. All I can tell you is that is about time. Especially with those yearly subscriptions from Office 2013. People will have a credit card on file. Two-factor authentication is simply a must these days.

ingramator said,

It still is unnecessary. The only security it adds is physical. Anyone that thinks they are somehow safer using two factor authentication, shouldn't be using it. In some cases it can be exploitable or used as an exploitable asset for instance if you steal someones phone, you have access to their email but they don't because they don't have an authenticator... Anyway, Microsoft are doing this not because they deem it necessary but because some people have said they "want" it. Responding to customer requests is good, I for one don't want to volunteer for a ridiculous amount of hassle but if Joe or Pete want to then good luck to them!


LOL. Since you seem to think that 2 character passwords are as secure as 2000 characters, I suggest you opt in to this feature. The other 6 people who liked your post probably should too.

ingramator said,

It still is unnecessary. The only security it adds is physical. Anyone that thinks they are somehow safer using two factor authentication, shouldn't be using it. In some cases it can be exploitable or used as an exploitable asset for instance if you steal someones phone, you have access to their email but they don't because they don't have an authenticator... Anyway, Microsoft are doing this not because they deem it necessary but because some people have said they "want" it. Responding to customer requests is good, I for one don't want to volunteer for a ridiculous amount of hassle but if Joe or Pete want to then good luck to them!

If someone steals my phone, I will call carrier, disable phone and get a new one. At most, I'm not able to access my email for a day. I'm more concerned about accounts being hacked from internet based sources. If nothing else, if someone is trying to access my account, I'll know about it.

I'm a bit perplexed as to why they chose to complicate the process by requiring an authenticator app vs. just sending a txt to your phone.

AR556 said,

If someone steals my phone, I will call carrier, disable phone and get a new one. At most, I'm not able to access my email for a day. I'm more concerned about accounts being hacked from internet based sources. If nothing else, if someone is trying to access my account, I'll know about it.

I'm a bit perplexed as to why they chose to complicate the process by requiring an authenticator app vs. just sending a txt to your phone.

If someone steals my phone(VZW Galaxy Nexus), they still need to get access to my phone. It is encrypted and has a pattern lock. Best part, I have a spare phone (Nexus 4). All I have to do is install the Google Authenticator App on to that one and it automatically invalidates older Authenticator codes.

MorganX said,
Hahaha, understood. the /sssssssssssss was for extreme sarcasm. It was unbelievable to see the suggestion that two-factor is unnecessary and does nothing and that longer pass phrases offer no security benefits over short ones, etc. Really ludicrous, no wonder so many hacking attempts are successful. Clearly many here are vulnerable to a kid in his room with a simple dictionary attack on a password database.

I seriously need to work on my Sarcasm-O-Meter

warwagon said,
That's a really bad example. Because had he had two factor authentication turned ON in his gmail account it would have prevented the hack. Because with it on they don't let you see part of the recovery email address. After the hack happened, Apple has ENABLED Two-factor authentication. They also say when you turn that we we will never be able to reset your password for you.

I think you misunderstood me. That article is all for two-factor authentication, and so am I. My original reply was aimed at MorganX's sarcastic comment which I didn't realize was sarcasm

Cool. I'll be using it on Microsoft Account. I don't use the email at all (it's my spam email account actually) but I do use it for Xbox and SkyDrive integration for Office 2013.

I'm glad they will let me use my Google Authenticator.