Microsoft to add dual-factor sign-on security 'soon': report
The company will follow very closely in Google's footsteps as it adds a more secure authentication process for logging into devices and services, LiveSide.net reports.
Microsoft will toughen up its products' security by adding dual-factor authentication "soon," according to areport today by Liveside.net.
Judging by details in the blog, the approach closely mirrors what Google did years ago: authorization requiring both a password (the first factor) and a special six-digit code retrieved from an authenticator app on a person's smartphone (the second factor). The smartphone code changes frequently so it can't be used for long.
We've contacted Microsoft for comment and will update this post when they respond. However, there's a strong indicator that there's truth to the report: the availability of an Authenticator app from Microsoft for Windows Phone 7.5 and 8, published last Friday with a version 220.127.116.11 release.
One commenter said the app "also works with Google's 2-step authentication," an indication that there could be a two-way street between Google and Microsoft systems. That could be very handy sinceGoogle offers its Authenticator app for Android, iOS, and BlackBerry and many people who might want to use Microsoft services will have those types of phones.
Dual-factor authentication makes it harder for people to get access to your account, since those trying to get access to your account need both your password and your smartphone. Even if they get access to both, they'd also need to get past your smartphone lock screen -- you do use a password or other security mechanism, right?
However, dual-factor brings a significant hassle, too.
• You must authorize your phone in advance using a pairing process.
• Software and services that tap into your account -- likely including some e-mail programs, for example -- must be reworked to handle dual-factor authentication. And until they are, you must use what Microsoft apparently will call "app passwords," and which Google calls application-specific passwords.
• You have to have your phone with you to log in to devices and services, which can be an annoyance if it's upstairs charging and you're downstairs working, or if you left your phone at home by mistake. It appears likely from the Liveside report that you'll be able to skip dual-factor authentication for frequently-accessed systems once you log in with the system once, though. And Google, at least, lets you print a set of authentication codes that you can use in an emergency instead of the dual-factor authentication.
A hassle it may be, but identity theft is a lot worse, especially in cases where hackers obtain account details for tens of thousands of account holders at a time. So it's no surprise that dual-factor authentication is gradually spreading around the industry.