rothwell.im

by Jonathan Rothwell

[LINK] Microsoft rolls out two-stage authentication

Microsoft is deploying two-step authentication for its Microsoft Account/Windows Live .NET Passport things. They (along with Apple, Twitter, and many others) should’ve done it years ago—but, as always, it’s better (much better) late than never.

We’ll verify that you have at least two pieces of security information on file (it’s always good to have a second in case you lose the first). If you have a smartphone, we’ll help you set up an authenticator app, which allows you to receive two-step verification codes even while offline (very useful on vacation and to avoid messaging fees). The next time you sign on, you’ll be prompted for a code.

Impressively, Microsoft’s implementation seems identical to Google’s: that is, it implements RFC 6238 and is therefore standards-compliant, which is more than can be said for Apple’s and Facebook’s implementations. Although two-stage authentication hasn’t been deployed to my Microsoft account yet, their Windows Phone Authenticator app works perfectly with my Google accounts with minimum fuss, and vice versa.1

I’m pleased. And it’s about damned time.

  1. Although Google doesn’t provide a specific option to link a Windows Phone with your account, you won’t run into any issues if you just lie and say it’s an Android, iPhone or BlackBerry. Both Microsoft’s and Google’s authenticators implement the same standard.