What is your most valuable online account, the most deserving of protection? If you’re using a Microsoft account to sign in to a Windows computer, that account and the associated email address should be the one you’re most jealous of. This is especially true if you use that Microsoft account to store OneDrive and Office 365 documents.
In this post, I list seven steps you can take to help you block your account so that it is safe against online attacks. As always, there’s a balance between convenience and security, so we’ve divided the steps into three groups, depending on how tight you want to lock your Microsoft account. (It is worth noting that this article covers Microsoft consumer accounts used with personal and personal editions of Office 365, Microsoft 365, and OneDrive. Security settings for Microsoft 365 business and enterprise accounts are managed by domain administrators through Azure Active Directory, using a different set of tools.)
Also: The best VPNs
Basic security
This level is sufficient for most regular PC users, especially those who do not use their Microsoft email address as the primary factor for connecting to other sites. If you help a friend or relative who is not technically sophisticated and is intimidated by passwords, this is a good option.
At the very least, you should create a strong password for your Microsoft account, one that is not used by any other account.
In addition, you should enable 2-step verification (Microsoft’s multi-factor authentication term) to protect you from phishing and other forms of password theft. When this feature is turned on, you need to provide additional proof of your identity when you first sign in to a new device or perform a high-risk activity, such as paying for an online purchase. The additional verification usually consists of a code sent as an SMS text message to a trusted device or an e-mail to an alternately registered account.
Also: Better than the best password: how to use 2FA to improve your security
Better security
These basic precautions are appropriate, but you can significantly tighten your security with a few extra steps.
First, install the Microsoft Authenticator app on your iPhone or Android device and set it up for use as a login and verification option. Then remove the option to use SMS messages to verify your identity.
With this setup, you can still use your mobile phone as an authentication factor, but a potential attacker will not be able to intercept text messages or falsify your phone number.
Also: Microsoft urges users to stop using phone-based multi-factor authentication
Maximum security
For extreme security, add at least one physical hardware key with the Microsoft Authenticator application and, optionally, remove your email addresses as a backup check factor. This configuration puts significant obstacles in the way of even the most determined attacker.
It requires an extra investment in hardware and definitely adds some friction to the login process, but it’s by far the most effective way to secure your Microsoft account.
Also: The best security keys in 2020: hardware-based two-factor authentication
Step 1: Create a new and strong password
First things first: You need a strong and unique password for your Microsoft account. The best way to ensure that you have applied this requirement is to use the password manager tools to generate a new password.
(No password manager? Try an online option, such as 1Password Powerful Password Builder or LastPass Password Builder Tool.)
Generating a new password ensures that your account credentials are not shared with any other account; It also guarantees that an older password that you may have accidentally reused is not part of a password violation.
To change your password, go to the basic Microsoft account security page at https://account.microsoft.com/security/. Log in, if necessary, and then click Change Password.
Also: The best password managers for business: 1Password, Keeper, LastPass and many more
Generate a new password to make sure you don’t accidentally reuse an old one.
Follow the instructions to save the new password using the password manager. Feel free to write it down if you prefer a physical backup. Be sure to keep the paper in a safe place, such as a locked file drawer or safe.
Step 2: Print a recovery code
Print a recovery code and keep it in a safe place; you will need it if you lose access to your account.
The next step is to save a recovery code. If you can never sign in to your account because you forgot your password, access to this code will exempt you from permanent blocking.
On the Microsoft Account Security Basics page, find the Advanced Security Options section and click Get started. This takes you to the not so simple Microsoft account security page. (To go directly there, check this address: https://account.live.com/proofs/Manage/additional.)
Scroll to the bottom of the page and look for the Recovery Code section. Click Generate New Code to display a dialog box like the one shown here.
Print the recovery code and save it in the same locked or secure locker where you placed the password.
(Microsoft allows you to generate only one code at a time for a Microsoft account. Generating a new code invalidates the old code.)
Step 3: Enable two-step verification
Don’t leave your Microsoft account security page yet. Instead, scroll to the 2-Step Verification section and make sure this option is turned on.
The setup process is a fairly simple wizard that confirms that you can receive verification messages. If you’re using a modern smartphone with an updated version of iOS or Android, you can safely ignore requests to create an email password application on these phones.
And now for some more advanced security options.
Step 4: Add a secure email address as a form of verification
Use this dialog to add secure verification options to your account.
Microsoft recommends that you have at least two forms of verification in addition to your password. If you need to reset your password, when 2-step verification is turned on, you’ll need to provide both forms of identification or risk being permanently blocked.
A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address is a much better choice. If necessary, you can receive a verification code at that address.
Go to the Advanced Microsoft Account Security page and click Add a new way to sign in or verify.
Choose the Email A Code option, enter the email address, and then enter the code you receive to confirm the verification option.
Also: The best email hosting services in 2020: G Suite, Microsoft 365 and more
Step 5: Configure the Microsoft Authenticator application
Smartphone applications that generate TOTP (Time-based Password Algorithm) codes are an increasingly popular form of multi-factor authentication, and I highly recommend using them for any service that supports them. (For more information about these options, see “Protect yourself: choosing the right two-factor authentication application.”)
Even if you use another authentication application for most services, I recommend using Microsoft Authenticator for use with your Microsoft account. In this configuration, any connection attempt that requires verification sends a push notification to your smartphone. Approve the request and you’re done.
An added bonus is that the Microsoft Authenticator app can be used for passwordless login as well as verification.
To set up Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft account security page and click Add a new way to sign in or verify. Choose the Use an application option, and then, after installing the Microsoft Authenticator application, sign in using your account credentials.
Step 6: Remove the SMS messages as a form of verification
At this point, you should have several secure ways to authenticate and verify your identity. This means that it is time to remove the weakest link in the chain: SMS messages.
What makes SMS text messaging so problematic is the fact that an attacker can hijack your mobile account. It happened to my ZDNet colleague, Matthew Miller, a few years ago, and I wouldn’t want anyone’s nightmare. (For details and some additional security tips, see “Protect your online identity now: fight hackers with these 5 security guarantees.”)
Before changing this setting, please confirm that you have at least two alternative forms of verification (ideally a secure email address and the Microsoft Authenticator application) and that you have saved a recovery code for your account. Then, from the Microsoft Account Security Advanced page, expand the Text A Code section.
Once you’ve added more secure verification options, remove the SMS text message link.
Click Remove to remove this option.
Step 7: Use a hardware security key for authentication
Using a hardware key, you can only sign in to your Microsoft account with a PIN.
This step is the most advanced of all. It requires an investment in additional hardware, but the requirement to plug a device into a USB port or make a Bluetooth or NFC connection adds the highest level of security.
For an overview of how this type of hardware works, see “Hardware-based YubiKey: 2FA is safer, but beware of these issues.”
To set up a hardware key, go to the Microsoft Security Advanced Security page and click Add a new way to sign in or check out. Choose the Use a security key option, and then follow the instructions.
You will need to enter the PIN for your hardware key, then tap to activate it. When this setup is complete, you have a powerful way to sign in to any service provided by your Microsoft account without having to worry about passwords.
As I mentioned at the beginning of this article, most people do not need this level of advanced protection. But if your OneDrive account includes valuable documents, such as tax returns and bank statements, you’ll want to block it as best you can.