How to lock down your Microsoft account and guard it from attackers



Gorgaiphotography/Getty Images

What’s your most valuable online account, the one most deserving of protection? If you have a personal Microsoft account, that account should be among those you guard most jealously. That’s especially true if you use that account and its associated email address to sign in to one or more Windows PCs or to create and save documents using the Office apps in Microsoft 365 and Microsoft’s OneDrive cloud storage service. 

In this post, I list seven steps you can take to help you lock that account down so it’s safe from online attacks. Your goal is to prevent an unauthorized person from stealing your account credentials and using them to access your private information. 

As always, there’s a balancing act between convenience and security, so I’ve divided the steps into three groups, based on how tightly you want to lock down your Microsoft account.

Also: 6 simple cybersecurity rules to live by

And here’s an important note right up front: This article is about the free consumer Microsoft accounts used with Microsoft 365 Family and Personal editions and the personal OneDrive service. These accounts are typically associated with an email address using the domain, although older accounts might also use,, or Security settings for business and enterprise Microsoft 365 accounts, which use the OneDrive for Business cloud service, are managed by domain administrators through Azure Active Directory, using a completely different set of tools.

How much security do you need?

Baseline: The baseline level of security (steps 1-3) is perfectly acceptable for most casual users of Microsoft services, especially those who don’t use their Microsoft email address as a primary factor for signing in to other sites. If you’re helping a friend or relative who’s technically unsophisticated and intimidated by passwords, these options will do a lot of good.

The first step is to create a strong password for your Microsoft account, one that’s not used by any other account. Next, you’ll turn on two-step verification (Microsoft’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. Enabling that feature requires you to supply additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as changing your password or adding a credit card to your account. The additional verification typically consists of a code sent in an SMS text message to a trusted device or in an email message to a registered alternate account.

Finally, you’ll save a recovery code that allows you to access your account if you forget that password and don’t have access to any other authentication methods.

Better: Those baseline precautions are adequate, but you can tighten security significantly with the actions outlined in steps 4 and 5.

Also: User forgetfulness drives preference for biometrics over passwords

First, install the Microsoft Authenticator app on your smartphone (it’s available for iPhone and Android devices) and set it up for use as a sign-in and verification option. Then add a secure email address as a backup factor to verify your identity.

Maximum: The final two steps provide the most extreme security, adding at least one physical hardware key along with the Microsoft Authenticator app, and then removing SMS text messages as a backup verification factor. With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won’t be able to break into your account by intercepting text messages or hijacking your mobile phone account.

That configuration places significant roadblocks in the way of even the most determined attacker. It requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it’s by far the most effective way to secure your Microsoft account.

Let’s get started.

Here’s how to lock down your Microsoft account

First things first: You need a strong, unique password for your Microsoft account. Microsoft requires a minimum password length of eight characters, but security experts recommend that you make your password longer. A good length is 12-16 characters, using any random combination of uppercase and lowercase letters, numbers, and special characters. You can also use a passphrase consisting of four or more randomly selected words, separated by a special character such as a hyphen.

The best way to ensure that you’ve nailed this requirement is to use your password manager’s tools to generate a brand-new, random password or passphrase. (No password manager? Try an online option like the 1Password Strong Password Generator or the Bitwarden Password Generator.)

Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn’t part of a password breach.

Also: The best password managers to save you from login hassle 

To change your password, go to the Microsoft Account Security Basics page at Sign in, if necessary, then click Change Password. (But don’t check the box that requires you to change your password every 72 days. That will surely annoy you, and it won’t make your account appreciably more secure.) 

Follow the instructions to save the new password using your password manager. Feel free to write it down, if you prefer a physical backup. Just make sure to store the paper in a secure location, such as a locked file drawer or a safe.

Don’t leave the Microsoft Account Security page just yet. Instead, scroll up to the Two-Step Verification section (under the Additional Security heading) and make sure this option is turned on.

The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. If you’re using a modern smartphone with an up-to-date version of iOS or Android, you can safely ignore the prompts to create an app password for the mail client on those phones.

The next step is to save a recovery code. If you’re ever unable to sign in to your account because you’ve forgotten the password, having access to this code will save you from being permanently locked out.

Setting up two-step verification, as you did in the previous step, automatically prompts you to create a recovery code. If you didn’t keep a copy of that code, you’ll need to create a new one. On the Microsoft Account Security Basics page, find the Advanced Security Options section and click Get Started. That takes you to the not-so-basic Microsoft Account Security page. (To go there directly, bookmark this address:

Also: How AI can improve cybersecurity by harnessing diversity

Scroll to the bottom of the page and look for the Recovery Code section. Click Generate A New Code to display a dialog box like the one shown here.

Print out that recovery code and file it away in the same locked file cabinet or safe where you put your password. (Microsoft allows you to generate only one code at a time for a Microsoft account. Generating a new code renders the old code invalid.)

And now for some more advanced security options.

Smartphone apps that generate Time-based One-time Password Algorithm (TOTP) codes are an increasingly popular form of multi-factor authentication, and I highly recommend their use for any service that supports them. (For more on these options, see “Protect yourself: How to choose the right two-factor authenticator app.”)

Even if you use another authenticator app for most services, I recommend using Microsoft Authenticator with your Microsoft account. In this configuration, any sign-in attempt that requires verification sends a push notification to your smartphone. Approve the request, and you’re done.

Also: The easiest thing you can do to keep your phone secure

An added bonus is that the Microsoft Authenticator app can be used for passwordless sign-in as well as verification.

To set up Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use An App option and then, after installing the Microsoft Authenticator app, sign in using your account credentials.

Microsoft recommends that you have at least two forms of verification available in addition to your password. If you need to reset your password, when two-step verification is enabled, you’ll need to supply both of those forms of identification or you risk being permanently locked out.

A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address secured by a professional IT staff is a much better choice. If necessary, you can have a verification code sent to that email address.

Go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify.

Choose the Email A Code option, enter your email address, and then enter the code you receive to confirm that verification option.

This step is the most advanced of all. It requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.

For an overview of how this type of hardware works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”

Also: The best security keys to protect yourself and your business

To configure a hardware key, go to the advanced Microsoft Account Security page and click Add A New Way To Sign In Or Verify. Choose the Use A Security Key option and then follow the prompts. You’ll need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you’ve got a powerful way to sign in to any service powered by your Microsoft account without having to fuss with passwords.

As I mentioned at the start of this article, most people don’t need this level of advanced protection. But if your OneDrive account includes valuable documents like tax returns and bank statements, you’ll want to lock it down as tightly as possible.


Source link