What’s your most valuable online account, the one most deserving of protection? If you use a Microsoft account to sign in to a Windows PC, that account and its associated email address should be the one you guard most jealously. That’s especially true if you use that Microsoft account for OneDrive storage and Office 365 documents.
In this post, I list seven steps you can take to help you lock that account down so it’s safe from online attacks. As always, there’s a balancing act between convenience and security, so I’ve divided the steps into three groups, based on how tightly you want to lock down your Microsoft account. (It’s worth noting that this article is about consumer Microsoft accounts used with Home and Personal editions of Office 365, Microsoft 365, and OneDrive. Security settings for business and enterprise Microsoft 365 accounts are managed by domain administrators through Azure Active Directory, using a completely different set of tools.)
Also: Best VPNs
Baseline security
This level is sufficient for most ordinary PC users, especially those who don’t use their Microsoft email address as a primary factor for signing in to other sites. If you’re helping a friend or relative who’s technically unsophisticated and intimidated by passwords, this is a good option.
At a minimum, you should create a strong password for your Microsoft account, one that’s not used by any other account.
In addition, you should turn on two-step verification (Microsoft’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. When that feature is enabled, you have to supply an additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as paying for an online purchase. The additional verification typically consists of a code sent as an SMS text message to a trusted device or in an email message to a registered alternate account.
Also: Better than the best password: How to use 2FA to improve your security
Better security
Those baseline precautions are adequate, but you can tighten security significantly with a couple extra steps.
First, install the Microsoft Authenticator app on your iPhone or Android device and set it up for use as a sign-in and verification option. Then remove the option for using SMS text messages to verify your identity.
With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won’t be able to intercept text messages or spoof your phone number.
Also: Microsoft urges users to stop using phone-based multi-factor authentication
Maximum security
For the most extreme security, add at least one physical hardware key along with the Microsoft Authenticator app and, optionally, remove email addresses as a backup verification factor. That configuration places significant roadblocks in the way of even the most determined attacker.
It requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it’s by far the most effective way to secure your Microsoft account.
Also: Best security keys in 2020: Hardware-based two-factor authentication
Step 1: Create a new, strong password
First things first: You need a strong, unique password for your Microsoft account. The best way to ensure that you’ve nailed this requirement is to use your password manager’s tools to generate a brand-new password.
(No password manager? Try an online option like the 1Password Strong Password Generator or the LastPass Password Generator Tool.)
Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn’t part of a password breach.
To change your password, go to the Microsoft Account Security Basics page at https://account.microsoft.com/security/. Sign in, if necessary, then click Change Password.
Also: The best password managers for business: 1Password, Keeper, LastPass, and more
Follow the instructions to save the new password using your password manager. Feel free to write it down, if you prefer a physical backup. Just make sure to store the paper in a secure location, such as a locked file drawer or a safe.
Step 2: Print out a recovery code
Next step is to save a recovery code. If you’re ever unable to sign in to your account because you’ve forgotten the password, having access to this code will save you from being permanently locked out.
On the Microsoft Account Security Basics page, find the Advanced Security Options section and click Get Started. That takes you to the not-so-basic Microsoft Account Security page. (To go there directly, bookmark this address: https://account.live.com/proofs/Manage/additional.)
Scroll to the bottom of the page and look for the Recovery Code section. Click Generate A New Code to display a dialog box like the one shown here.
Print out that recovery code and file it away in the same locked file cabinet or safe where you put your password.
(Microsoft allows you to generate only one code at a time for a Microsoft Account. Generating a new code renders the old code invalid.)
Step 3: Turn on two-step verification
Don’t leave the Microsoft Account Security page just yet. Instead, scroll up to the Two-Step Verification section and make sure this option is turned on.
The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. If you’re using a modern smartphone with an up-to-date version of iOS or Android, you can safely ignore the prompts to create an app password for the mail client on those phones.
And now for some more advanced security options.
Step 4: Add a secure email address as a form of verification
Microsoft recommends that you have at least two forms of verification available in addition to your password. If you need to reset your password, when two-step verification is enabled, you’ll need to supply both of those forms of identification or you risk being permanently locked out.
A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address is a much better choice. If necessary, you can have a verification code sent to that address.
Go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify.
Choose the Email A Code option, enter your email address, and then enter the code you receive to confirm that verification option.
Also: Best email hosting services in 2020: G Suite, Microsoft 365, and more options
Step 5: Set up the Microsoft Authenticator app
Smartphone apps that generate Time-based One-time Password Algorithm (TOTP) codes are an increasingly popular form of multi-factor authentication, and I highly recommend their use for any service that supports them. (For more on these options, see “Protect yourself: How to choose the right two-factor authenticator app.”)
Even if you use another authenticator app for most services, I recommend using Microsoft Authenticator for use with your Microsoft Account. In this configuration, any sign-in attempt that requires verification sends a push notification to your smartphone. Approve the request, and you’re done.
An added bonus is that the Microsoft Authenticator app can be used for passwordless sign-in as well as verification.
To set up Microsoft Authenticator with a Microsoft Account, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use An App option and then, after installing the Microsoft Authenticator app, sign in using your account credentials.
Step 6: Remove SMS text messages as a form of verification
By this point, you should have more than enough secure ways to authenticate yourself and verify your identity. That means it’s time to remove the weakest link in the chain: SMS text messages.
What makes SMS text messages so problematic from a security point of view is the reality that an attacker can hijack your mobile account. It happened to my ZDNet colleague Matthew Miller a few years ago, and I wouldn’t wish that nightmare on anyone. (For details and some additional security advice, see “Protect your online identity now: Fight hackers with these 5 security safeguards.”)
Before you change this setting, confirm that you have at least two alternative forms of verification (a secure email address and the Microsoft Authenticator app, ideally) and that you’ve saved a recovery code for the account. Then, from the advanced Microsoft Account Security page, expand the Text A Code section.
Click Remove to eliminate this option.
Step 7: Use a hardware security key for authentication
This step is the most advanced of all. It requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.
For an overview of how this type of hardware works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”
To configure a hardware key, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use A Security Key option and then follow the prompts.
You’ll need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you’ve got a powerful way to sign in to any service powered by your Microsoft Account without having to fuss with passwords.
As I mentioned at the start of this article, most people don’t need this level of advanced protection. But if your OneDrive account includes valuable documents like tax returns and bank statements, you’ll want to lock it down as tightly as possible
