Ed Bott - Windows 10 Support Secrets

37 CHAPTER 3 | Staying secure For accounts that are tied to online services, you can configure an additional layer of security called multifactor authentication or, more commonly, two-factor authentication (2FA). With 2FA turned on, you set up a trusted device, such as a smartphone, typically by signing in to the service, scanning a barcode, and entering a code on that device to prove that it belongs to you. If you sign in to Windows using a Microsoft account, you can turn on 2FA by visiting https://account.live.com/proofs/ , typing your password, and then choosing the Two-Step Verification option. This makes it possible for you to receive security codes via email, text message, or an authenticator app. With that first step out of the way, any attempt to sign in on an unrecognized device using that account requires that you enter the password and then provide an additional secret code from the trusted device. This can be received as a text message or generated by an authenticator app on the device. For a Microsoft account, you can have a notification request sent to your device, as shown in Figure 3-1. Figure 3-1: Select the check box here if you’re setting up a new PC and you want to add it to your list of trusted devices. Leave that check box cleared if you’re using a borrowed or untrusted PC. You can choose from multiple authenticator apps, which all follow an open standard for generating one-time passwords that use a shared cryptographic key and are time-based. Microsoft offers an Authenticator app for Windows Phone and a separate Microsoft Account app for Android devices; both are free. If you have an iPhone, you can use the Google Authenticator app or a third-party alternative. Figure 3-2 shows what the security request from the previous figure looks like when sent to the Microsoft Account app on an Android phone.