Microsoft explains why Outlook.com doesn't have two-factor authentication

Over the past week, one of the biggest stories on the Internet dealt with former Gizmodo and current Wired.com writer Mat Honan having many of his online accounts wiped out by a hacker. One of them was his Gmail account, which he says might not have happened if he had used two-factor authentication, which would have required both a new password and a code sent to a person's smartphone.

It begs the question if every email service should have that kind of set up. Microsoft, however, says that they are trying to develop a way to have a strong security system in place for their recently launched Outlook.com service without the need for two-factor authentication.

Speaking with Mashable, Microsoft said that Outlook.com does require "strong passwords." Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe.

However, it sounds like Microsoft doesn't think that most people will go for the two-factor authentication system that's an option for Gmail users. The Microsoft spokesperson said the company is putting a lot of resources into developing the security for Outlook.com during its open beta period and added that it is trying "to find a strong solution that everyone can use, vs. just the 1% of users that figure out how to navigate a bunch of additional setup options."

Source: Mashable

Report a problem with article
Previous Story

Microsoft responds to ad companies complaints about DNT

Next Story

Acer CEO still likes Windows 8; doesn't like Surface

47 Comments

View more comments

cocoon said,
They should remove the 16-character limit for passwords. It's just stupid.

ya no kidding i had an account i logged in with (Live -> Outlook)
and it said i can't use passwords with 16 chars ? WTF ?

cocoon said,
They should remove the 16-character limit for passwords. It's just stupid.

It's been already explained why there's still 16 character limit...

According to Steve Gibson on the Security Now podcast, if they're enforcing a 16 character limit on passwords, it means they're not being salted or hashed. This is pretty unforgivable.

Walrush said,
According to Steve Gibson on the Security Now podcast, if they're enforcing a 16 character limit on passwords, it means they're not being salted or hashed. This is pretty unforgivable.

I wouldn't necessarily listen to Steve Gibson to be honest. He's wrong as often as he's right...

Shane Nokes said,

I wouldn't necessarily listen to Steve Gibson to be honest. He's wrong as often as he's right...

Steve has a good point.

Shane Nokes said,

It's only a good point if it's correct...

Simple research will tell you what Gibson has said on the matter of salting/hashing and password lengths are in fact correct.

I think i'd rather listen to him than you on matters of Security thanks.

Walrush said,

Simple research will tell you what Gibson has said on the matter of salting/hashing and password lengths are in fact correct.

I think i'd rather listen to him than you on matters of Security thanks.


So listening to Gibson as opposed to someone that has spent the last several years working at MS in an area directly related to this?

Ok. Your choice.

"Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe."
That's exactly how Gmail two-factor authentication works, coming from someone who actually uses it.
I'm quite a bit dubious about how they keep passwords though, given that in my experience they run the passwords through a SWEAR FILTER so you can't use rude words in your password.

Simon- said,
"Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe."
That's exactly how Gmail two-factor authentication works, coming from someone who actually uses it.
I'm quite a bit dubious about how they keep passwords though, given that in my experience they run the passwords through a SWEAR FILTER so you can't use rude words in your password.

interesting point..
If they are gonna say no one knows your password but YOU
then why filter it for swear words ?
And like you said does this mean they store unsalted and/or plain text pass's ?

No, that's not exactly how it works because I don't have to dick around with Google to get single use codes. You set the damn thing to send a code to your phone after you type in your password and that's it. Yes, they have the single-use codes if you don't have your phone or whatever, but that's not what people want.

Prefer goggles security measures. MS need to sort this, I feel very insecure with my hotmail addy. I use 2-step on my gmail because I know even if the password is guessed/stolen/etc they still cant do anything with it unless they have my phone too.

Considering how important Live ID's are going to be for Windows 8 services (linking App purchases etc) they NEED something to keep the accounts secure. Some one time use passwords for public places are a start, but that's just not enough.

Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe.
And
Gmail two-factor authentication

Do the same JOB
If u want to try new MS single use code just click on Sign in with a single-use code
But for that to work MS should have ur phone no in the email account

What's great about 2 Factor Authentication, is it will authenticate on a new machine. Which if you choose is also good for 30 days. But what's also nice (and this happened to me after sony and the PlayStation network was hacked) is if you start getting the 2 factor authentication texts on your cell phone and you aren't trying to log into your account, it's a big red flag that something is up. It means someone other than you got as far as your email address and password.

Microsoft, please don't create your features with the common idiot in mind. We call them the common idiot for a reason. For everyone else, they would like those advanced features.

warwagon said,
What's great about 2 Factor Authentication, is it will authenticate on a new machine. Which if you choose is also good for 30 days. But what's also nice (and this happened to me after sony and the PlayStation network was hacked) is if you start getting the 2 factor authentication texts on your cell phone and you aren't trying to log into your account, it's a big red flag that something is up. It means someone other than you got as far as your email address and password.

Microsoft, please don't create your features with the common idiot in mind. We call them the common idiot for a reason. For everyone else, they would like those advanced features.

Some people aren't idiots. They just don't have smartphones and don't want 2-factor authentication. Which is why it should be optional.

Rudy said,
Personally I don't see the need for2 factor auth for my personal account

Then you must not have anything important tied to your email address. Good for you. Here's a cookie...

Rudy said,
Personally I don't see the need for2 factor auth for my personal account

I use my Gmail account in my job, without any worry for my password, since it is only used for Gmail and I have the two step verification even the "geeks" of the tech support felt ashamed they didn't know about it.....but I know that for the average user is way too much trouble to check for email.

dagamer34 said,
It's not an effective form of security if a large majority of people won't use it.

I don't care about other people's ignorance to reality. You have to tell people about it and why its a good idea to use it. Kinda like how they put some cool features in Windows 7 and then took them out in Windows 8 because "No one used them". Well, advertise the feature to get the word out. They don't mind kicking out ads for a year old browser.

You don't even need a phone with a SIM or internet access, if you have a smartphone or a tablet the Google Authenticator app generates codes for the 2 step auth offline.

And you can also use Google's 2 step auth on your computer login and remote ssh connections, which is all kinds of cool. You get the specific codes generated for each connection on the Authenticator app on your phone/tablet.

Commenting is disabled on this article.