How to turn on 2 step authentication (login verification) in Hotmail

EQ Admin

EQ Forum Admin
Staff member
Hello,

To help protect your Hotmail and Outlook.com logins please enable 2-step verification:
  • Login to Sign in to your Microsoft account
  • If you have an alternate address, verify it
  • When prompted, enter your security code
  • Click the link for Set up 2 step verification
Hotmail 2 step authentication verification.JPG


Continue to follow the prompts of the Set up two-step verification wizard to finish securing your Microsoft account.

If you need access to your account from devices that don't support 2-step verification, such as as Xbox 360 or a mail program on your computer, create an application password.
 
Last edited:

foggy

Valued Member
I mentioned the following the other day at EMD, but I thought I would mention it here, too.

Based on a blogpost about Outlook's recent security updates I decided to check my own Outlook account. I set up 2FA and have the option of receiving the code on my phone or at an alternate email address.

To test things, I went to a neighbor's house and tried to login to my account on her computer, as a hacker might who had one factor (my password) but not the second. Well, on the code page I clicked on the drop-down arrow and selected the option that "I don't have access to the other items" (again, as a hacker might). Outlook asked for another alternate email -- I gave it my aunt's -- and promptly sent a code to that other address!!

If this is the way MS's 2FA is supposed to work, it's not quite the level of security of Gmail's version, is it? It's like handing accounts to hackers on a silver platter, since many who have enabled 2FA are going to trust that enough to reduce the quality of their own passwords (from, say, 16 characters to 6). And, if my experience is repeatable for others, a whole lot of Outlook accounts are more vulnerable than they were before.

Incidentally, as I recall, my own computer is also a 'trusted pc,' according to MS. My aunt's is not. In fact, she doesn't even have a MS account of any kind. But I still got in to my "protected" Outlook account on her computer using nothing but the password!

Perhaps someone else could confirm this?
 

EQ Admin

EQ Forum Admin
Staff member
No, you should not be able to use your Aunt's address unless you have it configured in your account as an alternate email address.

Is your aunt's email address listed as an alternate address in your Hotmail/Outlook?

I have the Authenticator app on my iPhone configured with 2-step verification in Outlook.

If I try to login to Outlook.com and say I don't have access to my phone with the authenticator app I'm then promoted to use my cell phone and other email accounts, but I do not have the option to use a 3rd party email account that does not belong to me.

If you don't have the authenticator app, and only have alternate email addresses, and there is a way to send a code to an unverified 3rd party email address, that's a security bug.
 

foggy

Valued Member
Thanks, Ray.

No, the address is not listed in the account anywhere.

As it happens, I went back and tried this out again. I got the 4-digit code sent to my aunt's address and entered it in the space provided at Outlook. But Outlook just refreshed the page and did not let me in. The same thing happened previously, but I chalked it up to a browser issue on my aunt's computer, not Outlook successfully keeping out an unauthorized user. :eek:

I suppose that's a good thing Outlook kept me out of this test, but it's still somewhat disconcerting that Outlook would even send the code to begin with instead of giving me (or whoever would be trying to get in the account) a message saying that the email address (or phone number) was not valid. It's an odd thing for an email provider to do that claims it's trying to keep its users more secure. :rolleyes:
 

EQ Admin

EQ Forum Admin
Staff member
Yes, thanks for the update!

It's good to hear it's just a bug and not a security concern that could have been leading to hacked accounts.
 

foggy

Valued Member
Well, I just found something else: when I had Outlook send a code to my aunt's email address, apparently it also send a verification request to my alternate email address and sent a text to my phone to enter a particular code (4-digit number) for the same reason. IOW, Outlook was sending verification requests to all my back up contact points.

The problem here is that Outlook provides in their dropdown menu selection (for where to send the 2FA code) the option stating that the user doesn't have the phone or back-up address.So, the obvious question is: How does MS expect the user to enter the new email address verification code and use the new address to get into his/her account if the whole point in adding the new address is because he/she doesn't have access to the phone or back-up email address?!
 

Big Dan

EQ Forum Moderator
Sorry for digging up an old thread but I turned 2FA for my outlook.com account a little while back. My biggest pet peeve is you have to use Microsoft's auth app instead of Google Authenicator where all my other 2FA codes reside. Although, I will say on Android being able to approve right from the Android notification vs opening the app is pretty cool.

My Hotmail account isn't very important to me. It's pretty much a disposable address to me but since I've now tied it to Office 365 and my Windows 10 login, I thought it prudent to protect it with 2FA. I know this thread is old but as long as I have a valid backup method (cell phone text) and a recovery code, I'm good to go right?

I'd like to think enabling 2FA didn't just throw a minor monkey wrench into someone else logging into my account. It should stop someone with only my username and password dead in their tracks.
 

EQ Admin

EQ Forum Admin
Staff member
My biggest pet peeve is you have to use Microsoft's auth app instead of Google Authenicator

I'm using Google Authenticator for my Outlook.com account. When turning it on there is an option to show a QR code that Google Authenticator can use to add the account.
 

Big Dan

EQ Forum Moderator
I'm using Google Authenticator for my Outlook.com account. When turning it on there is an option to show a QR code that Google Authenticator can use to add the account.
No kidding. I must of missed that. Thanks. I'll play around with it later today.
 
Top