Security Advisor
Microsoft Adding Two-Factor Authentication for Outlook.com
Looks like Microsoft will be adding another layer of security to its account system with the introduction of a new two-factor authentication system.
According to LiveSide, those customers that opt in for the new service will be prompted to enter a randomly generated password (along with your account password) by a mobile Authenticator app.
As with Google's similar security authentication, the mobile code will refresh frequently, so make sure to keep your phone handy when logging in.
While Microsoft is staying tight-lipped on the specific details of its new authentication system, including all the services this is getting rolled out to, the companion mobile app is already available in the Windows Store, and gives us the most insight we're going to get on the process in the app description:
"The Authenticator app generates security codes you can use to help keep your Microsoft account secure. You can add your Microsoft account to the app by scanning a barcode or by manually entering a secret key. The app implements industry-standard security code generation and may also work with other services and providers."
One headache of this new process is that linked accounts will have to be unlinked and then linked again before the mobile authentication step can be taken advantage of. Also, what happens if you forget to grab your phone as you walk out the door in the morning? Looks like you'll be without access to your Microsoft account if it decides to generate a new code.
However, the benefits heavily outweigh the minor inconvenience that comes with implementing the second security step. It'll be quite a bit harder for attackers, who now will have to steal both your login credentials and your mobile phone if they want to gain access to your account.
In fact, adding this second step could drastically lower the chance of account hijacking. So why doesn't every online service provider already have a similar system in place? Sophos security advisor Chester Wisniewsk agrees, speaking out vocally on the issue of two-factor authentication after last month's major Twitter breach.
"It is high time Twitter implement something to augment account security," said Wisniewski. "Two-factor authentication would be a great option for protecting high-profile brands, celebrities and those who simply want that extra layer of security for their online identity."
For those who like to keep up with what Microsoft likes to pull the checkbook out for, the news of this new authentication system should not exactly be a suprise. Last October I reported on the Microsoft acquisition of the authentication company PhoneFactor and Microsoft's commitment to bringing the technology to many of its products and services.
"The acquisition of PhoneFactor will help Microsoft bring effective and easy-to-use multifactor authentication to our cloud services and on-premises applications," said Bharat Shah, corporate vice president, Server and Tools Division for Microsoft. "In addition, PhoneFactor's solutions will help Microsoft customers, partners and developers enhance the security of almost any authentication scenario."
So what do you think? Is two-factor authentication the cure for constant account attacks? Or is it more of a nuisance than a solution? Let me know in the comments below.