Microsoft explains why Outlook.com doesn't have two-factor authentication

Over the past week, one of the biggest stories on the Internet dealt with former Gizmodo and current Wired.com writer Mat Honan having many of his online accounts wiped out by a hacker. One of them was his Gmail account, which he says might not have happened if he had used two-factor authentication, which would have required both a new password and a code sent to a person's smartphone.

It begs the question if every email service should have that kind of set up. Microsoft, however, says that they are trying to develop a way to have a strong security system in place for their recently launched Outlook.com service without the need for two-factor authentication.

Speaking with Mashable, Microsoft said that Outlook.com does require "strong passwords." Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe.

However, it sounds like Microsoft doesn't think that most people will go for the two-factor authentication system that's an option for Gmail users. The Microsoft spokesperson said the company is putting a lot of resources into developing the security for Outlook.com during its open beta period and added that it is trying "to find a strong solution that everyone can use, vs. just the 1% of users that figure out how to navigate a bunch of additional setup options."

Source: Mashable

Report a problem with article
Previous Story

Microsoft responds to ad companies complaints about DNT

Next Story

Acer CEO still likes Windows 8; doesn't like Surface

47 Comments

Commenting is disabled on this article.

You don't even need a phone with a SIM or internet access, if you have a smartphone or a tablet the Google Authenticator app generates codes for the 2 step auth offline.

And you can also use Google's 2 step auth on your computer login and remote ssh connections, which is all kinds of cool. You get the specific codes generated for each connection on the Authenticator app on your phone/tablet.

dagamer34 said,
It's not an effective form of security if a large majority of people won't use it.

I don't care about other people's ignorance to reality. You have to tell people about it and why its a good idea to use it. Kinda like how they put some cool features in Windows 7 and then took them out in Windows 8 because "No one used them". Well, advertise the feature to get the word out. They don't mind kicking out ads for a year old browser.

Rudy said,
Personally I don't see the need for2 factor auth for my personal account

Then you must not have anything important tied to your email address. Good for you. Here's a cookie...

Rudy said,
Personally I don't see the need for2 factor auth for my personal account

I use my Gmail account in my job, without any worry for my password, since it is only used for Gmail and I have the two step verification even the "geeks" of the tech support felt ashamed they didn't know about it.....but I know that for the average user is way too much trouble to check for email.

What's great about 2 Factor Authentication, is it will authenticate on a new machine. Which if you choose is also good for 30 days. But what's also nice (and this happened to me after sony and the PlayStation network was hacked) is if you start getting the 2 factor authentication texts on your cell phone and you aren't trying to log into your account, it's a big red flag that something is up. It means someone other than you got as far as your email address and password.

Microsoft, please don't create your features with the common idiot in mind. We call them the common idiot for a reason. For everyone else, they would like those advanced features.

warwagon said,
What's great about 2 Factor Authentication, is it will authenticate on a new machine. Which if you choose is also good for 30 days. But what's also nice (and this happened to me after sony and the PlayStation network was hacked) is if you start getting the 2 factor authentication texts on your cell phone and you aren't trying to log into your account, it's a big red flag that something is up. It means someone other than you got as far as your email address and password.

Microsoft, please don't create your features with the common idiot in mind. We call them the common idiot for a reason. For everyone else, they would like those advanced features.

Some people aren't idiots. They just don't have smartphones and don't want 2-factor authentication. Which is why it should be optional.

Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe.
And
Gmail two-factor authentication

Do the same JOB
If u want to try new MS single use code just click on Sign in with a single-use code
But for that to work MS should have ur phone no in the email account

Prefer goggles security measures. MS need to sort this, I feel very insecure with my hotmail addy. I use 2-step on my gmail because I know even if the password is guessed/stolen/etc they still cant do anything with it unless they have my phone too.

Considering how important Live ID's are going to be for Windows 8 services (linking App purchases etc) they NEED something to keep the accounts secure. Some one time use passwords for public places are a start, but that's just not enough.

No, that's not exactly how it works because I don't have to dick around with Google to get single use codes. You set the damn thing to send a code to your phone after you type in your password and that's it. Yes, they have the single-use codes if you don't have your phone or whatever, but that's not what people want.

"Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe."
That's exactly how Gmail two-factor authentication works, coming from someone who actually uses it.
I'm quite a bit dubious about how they keep passwords though, given that in my experience they run the passwords through a SWEAR FILTER so you can't use rude words in your password.

Simon- said,
"Also, users can have Outlook.com sent single-use codes to their smartphones to sign onto a PC that they don't own, such as at an Internet cafe."
That's exactly how Gmail two-factor authentication works, coming from someone who actually uses it.
I'm quite a bit dubious about how they keep passwords though, given that in my experience they run the passwords through a SWEAR FILTER so you can't use rude words in your password.

interesting point..
If they are gonna say no one knows your password but YOU
then why filter it for swear words ?
And like you said does this mean they store unsalted and/or plain text pass's ?

According to Steve Gibson on the Security Now podcast, if they're enforcing a 16 character limit on passwords, it means they're not being salted or hashed. This is pretty unforgivable.

Walrush said,
According to Steve Gibson on the Security Now podcast, if they're enforcing a 16 character limit on passwords, it means they're not being salted or hashed. This is pretty unforgivable.

I wouldn't necessarily listen to Steve Gibson to be honest. He's wrong as often as he's right...

Shane Nokes said,

I wouldn't necessarily listen to Steve Gibson to be honest. He's wrong as often as he's right...

Steve has a good point.

Shane Nokes said,

It's only a good point if it's correct...

Simple research will tell you what Gibson has said on the matter of salting/hashing and password lengths are in fact correct.

I think i'd rather listen to him than you on matters of Security thanks.

Walrush said,

Simple research will tell you what Gibson has said on the matter of salting/hashing and password lengths are in fact correct.

I think i'd rather listen to him than you on matters of Security thanks.


So listening to Gibson as opposed to someone that has spent the last several years working at MS in an area directly related to this?

Ok. Your choice.

cocoon said,
They should remove the 16-character limit for passwords. It's just stupid.

ya no kidding i had an account i logged in with (Live -> Outlook)
and it said i can't use passwords with 16 chars ? WTF ?

cocoon said,
They should remove the 16-character limit for passwords. It's just stupid.

It's been already explained why there's still 16 character limit...

As predicted, more excuses.... If the idea is big enough that they feel compelled to address it with yet another reason why they shouldn't tells me they're just being lazy.

here are some tips for you and if you have issues with not having it these are the things that will most likely get you own.

1) you are a idiot, on are its your fault.
2) don't give out your password to anyone.
3) don't use the same password on any site.
4) don't surf free porn sites.
5) don't open attachments from people not in your contacts list and/or you don't know why they sent you X.
6) don't use warez on a machine you want to trust 100%
7) don't pirate AntiVirus software
8) all other reasons see #1

Bad joke really, but you really only need it for banking / health / maybe work.

ShiZZa said,
here are some tips for you and if you have issues with not having it these are the things that will most likely get you own.

1) you are a idiot, on are its your fault.
2) don't give out your password to anyone.
3) don't use the same password on any site.
4) don't surf free porn sites.
5) don't open attachments from people not in your contacts list and/or you don't know why they sent you X.
6) don't use warez on a machine you want to trust 100%
7) don't pirate AntiVirus software
8) all other reasons see #1

Bad joke really, but you really only need it for banking / health / maybe work.

Incorrect.

2-factor authentication can help reduce social engineering attacks as well. I've been a victim of this before due to my prior high-profile job.

They social engineered employees at a few companies and took over some of my accounts. I managed to get them back, but alas without 2-factor authentication there's nothing stopping people from doing it again really...

Shane Nokes said,

Incorrect.

2-factor authentication can help reduce social engineering attacks as well. I've been a victim of this before due to my prior high-profile job.

They social engineered employees at a few companies and took over some of my accounts. I managed to get them back, but alas without 2-factor authentication there's nothing stopping people from doing it again really...

yup social engineering is a very real threat..
I remember seeing services many years ago that would be a hacker for hire.
And they advertised they would hack into anyones Hotmail or Facebook account etc (for a fee)

ShiZZa said,
here are some tips for you and if you have issues with not having it these are the things that will most likely get you own.

1) you are a idiot, on are its your fault.
2) don't give out your password to anyone.
3) don't use the same password on any site.
4) don't surf free porn sites.
5) don't open attachments from people not in your contacts list and/or you don't know why they sent you X.
6) don't use warez on a machine you want to trust 100%
7) don't pirate AntiVirus software
8) all other reasons see #1

Bad joke really, but you really only need it for banking / health / maybe work.

While all of that is good advice, it reminds me about a scene from the movie "Contact" one of my favorite movies ever. The guy gives her a suicide pill just before she goes into space. She tells him "I'm not going to travel X light years just to commit suicide!" he says "We've been giving these pills to astronauts since the beginning of the space program, not for the reasons we can think of, but for the reasons we can't.

Edited by warwagon, Aug 11 2012, 5:20pm :

warwagon said,

While all of that is good advice, it reminds me about a scene from the movie "Contact" one of my favorite movies ever. The guy gives her a suicide pill just before she goes into space. She tells him "I'm not going to travel X light years just to commit suicide!" he says "We've been giving these pills to astronauts since the beginning of the space program, not for the reasons we can think of, but for the reasons we can't.

Love that movie!

And this is the reason why I will never use this. Unbelievable that a service such as Live accounts (or whatever they call it now) doesn't have two factor authentication. It's pathetic.

Leo (DerpDerp) said,
And this is the reason why I will never use this. Unbelievable that a service such as Live accounts (or whatever they call it now) doesn't have two factor authentication. It's pathetic.

MS accounts do use two-factor auth for certain things (like accessing your PC remotely via SkyDrive, or sync'ing your saved usernames and passwords across Win8 devices).

Brandon Live said,

MS accounts do use two-factor auth for certain things (like accessing your PC remotely via SkyDrive, or sync'ing your saved usernames and passwords across Win8 devices).

Indeed...but you and I both know that 2-factor authentication should be an option anywhere a MA/WLID login is in use. It's just safer, and with how ubiquitous mobile devices are, you can use SMS as a free option to receive the code.

I'd love to have it turned on for everything tied in with my MA/WLID. If that were the case then I wouldn't have had the issue I had earlier this year.

2-factor authentication would have saved me a lot of trouble. A LOT of trouble.

Shane Nokes said,
/Facepalm

I've told them over and over again 2-Factor Auth is important.


most users don't want any inconveniences. They don't care about security, yet they get their account hacked and give a stupid excuse.

soldier1st said,

most users don't want any inconveniences. They don't care about security, yet they get their account hacked and give a stupid excuse.

That's why it can be optional. If you want/need the extra security use it. If you don't then leave it disabled. Options are good

Vice said,
They should offer it as an option for those that want to use it.

Ya but this is Microsoft so they will let you know what you like and are allowed to use..

Vice said,
They should offer it as an option for those that want to use it.

Resources never come in unlimited quantities. Time, money, good developers...these are all resources. You have to prioritize certain things.

Aethec said,

Resources never come in unlimited quantities. Time, money, good developers...these are all resources. You have to prioritize certain things.

I guess that is why I'll keep with Google which if you didn't know offer two-factor authentication on everything. Chrome Sync, Youtube, Gmail, GDrive, Google Apps and every single other thing that uses your Google account. Just another way Google are ahead really.

"Microsoft doesn't think that most people will go for the two-factor authentication system that's an option for Gmail users."

That's because most people are idiots

warwagon said,
"Microsoft doesn't think that most people will go for the two-factor authentication system that's an option for Gmail users."

That's because most people are idiots

Hey, at lest they understand the user base.. it's a step in the right direction

Ryoken said,
Hey, at lest they understand the user base.. it's a step in the right direction

Yeah and i wonder why they didn't use this kind of logic with Windows 8 development ?
I guess that was "We Know Best" situation.

I am Not PCyr said,

Yeah and i wonder why they didn't use this kind of logic with Windows 8 development ?

They did....
Unfortunately, you are too smrt to be in the 67% of the bell curve MS design for.