Microsoft to add dual-factor sign-on security 'soon': report

The company will follow very closely in Google's footsteps as it adds a more secure authentication process for logging in to devices and services, LiveSide.net reports.

Stephen Shankland principal writer
Stephen Shankland has been a reporter at CNET since 1998 and writes about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science Credentials
  • I've been covering the technology industry for 24 years and was a science writer for five years before that. I've got deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and other dee
Stephen Shankland
2 min read
The Microsoft Authenticator app appears to work very similarly to Google's app of the same name used for dual-factor authentication.
The Microsoft Authenticator app appears to work very similarly to Google's app of the same name used for dual-factor authentication. Microsoft

Microsoft will toughen up its products' security by adding dual-factor authentication "soon," according to a report today by Liveside.net.

Judging by details in the Microsoft-focused blog, the approach closely mirrors what Google did years ago: authorization requiring both a password (the first factor) and a special six-digit code retrieved from an authenticator app on a person's smartphone (the second factor). The smartphone code changes frequently so it can't be used for long.

Microsoft offered only this comment today: "Security and privacy is a priority for Microsoft, however we have nothing new to share at this time."

However, there's a strong indicator that there's truth to the report: the availability of an Authenticator app from Microsoft for Windows Phone 7.5 and 8, published last Friday with a version release.

One commenter said the app "also works with Google's 2-step authentication," an indication that there could be a two-way street between Google and Microsoft systems. That could be very handy since Google offers its Authenticator app for Android, iOS, and BlackBerry and many people who might want to use Microsoft services will have those types of phones.

In 2012, Microsoft acquired PhoneFactor, a provider of multi-factor authentication technology that uses phones.

Dual-factor authentication makes it harder for people to get access to your account, since those trying to get access to your account need both your password and your smartphone. Even if they get access to both, they'd also need to get past your smartphone lock screen -- you do use a password or other security mechanism, right?

Microsoft Authenticator icon

However, dual-factor brings a significant hassle, too.

• You must authorize your phone in advance using a pairing process.

• Software and services that tap into your account -- likely including some e-mail programs, for example -- must be reworked to handle dual-factor authentication. And until they are, you must use what Microsoft apparently will call "app passwords," and what Google calls application-specific passwords.

• You have to have your phone with you to log in to devices and services, which can be an annoyance if it's upstairs charging and you're downstairs working, or if you left your phone at home by mistake. It appears likely from the Liveside report that you'll be able to skip dual-factor authentication for frequently-accessed systems once you log in with the system once, though. And Google, at least, lets you print a set of authentication codes that you can use in an emergency instead of the dual-factor authentication.

A hassle it may be, but identity theft is a lot worse, especially in cases where hackers obtain account details for tens of thousands of account holders at a time. So it's no surprise that dual-factor authentication is gradually spreading around the industry.

Facebook, Yahoo, PayPal, and Dropbox already offer dual-factor authentication, with Dropbox customers able to use Google Authenticator. Twitter posted a job listing indicating its interest, too.

Updated at 8:00 a.m. PT with Microsoft's response.