Gold-level Patrons: download or watch in HD
Become a Patron of Ask Leo! and go ad-free!
Edited from the full Ask Leo! Live Event video, available below.
Turning on multi-factor or two-factor authentication, multi-factor authentication, it goes by it goes by both terms two-factor and multi-factor. The bottom line is that you have multiple forms of proof that you are who you say you are, that are required when you log in. So normally when we think of just logging in with a username and password, that’s really only one factor. It is something you know; it’s you you know, your you know your username, and you know your password.
Two-factor authentication adds basically something you have. So what that usually boils down to is some kind of proof that you are in possession of something physical, physical. And I’ll show you some of the examples that are associated with that. Something you have, like I said something physical, that also tends to spill over into something you have access to, such as an alternate email address or another kind of account. And then we say multi-factor because in fact that can still be extended.
There’s a third level that often gets added in even more highly secure scenarios. And that’s something you are which typically boils down to biometrics. Now, biometrics can be used as its, you know, by itself as a second factor. But when we start looking at multi-factor authentication, you can actually have all three things required something you know, a password, something you have, which we will prove, and then something you are which would be something that would, you know, be a fingerprint or a retinal scan or face ID or something like that. When you go to something like outlook.com, and you click on your, your icon, your your usually it’s an avatar, it’s, it can be the first letters of your, of your email address.
It can be an image that you uploaded, I uploaded an image here that says AskLeo! – click on that, click on My Account. And now you can see we’re at the same place we were on this tab, so we’ll make that one go away. My Account is where this kind of information is kept. And the place we want to go down to here is Protect Your Account because that’s what two-factor authentication is all about. It does request you to enter a password again; you’re about to make security settings to your account. And it’s important that only you be able to do so. So even though we’re already logged in, it’s going to ask you to confirm your password yet again. In this case, you can see that LastPass, which I have enabled on this machine, has already entered it in for me so all I really need to do is click Sign In.
There’s a variety of things that you can do on the security page. I’m going to focus specifically on more security options. If I set up two-step verification, it will now walk me through the process of setting it up for the first time. I’m going to set up using a different authenticator app. Here you can see now that there is a QR code being displayed. That is the QR code that will associate my account with a specific, with a specific identification app; it’s going to be impossible for me to really show it to you. The phone is actually turned into a very strange little camera with an area that you are supposed to target the QR code. And a QR code was scanned. And now the app is showing me a number that would be my identification number. Verify that the pairing was successful by entering a code below; the code that’s it’s asking for is the code that is currently being shown on my phone, which in the time since I started talking, and just now has changed.
So the whole theory behind security codes and apps, and let me bring this full screen again, so it’s a little bit easier to see. The whole idea here is that this number that’s being displayed by the security app on my phone will be different every 30 seconds. And it is impossible for you or I or pretty much anybody to guess or predict what the next number in the sequence is.
In fact, we are unable to guess any of the future numbers associated with this with this app, this pairing, the only places that know what the next number is or what the number is, is the app on my specific phone and the service into which I’m logging in. So what that means is that my ability to provide the correct number, when asked proves that I am in possession of my phone; it proves that I have my second factor. So we have now turned on two-factor authentication for this account.
And the next time I log in, or anytime I log in on a device that I haven’t logged into before, it will ask me, show me, or tell me the current code on your authenticator device to prove that you are in possession of the device. That will be required in addition to the password. The, the reason I point out that it only will ask for that second factor on devices on which you haven’t previously logged in, is a lot of people are worried, “Do I have to do this every time I log in?” And the answer is no, of course not. You, when you log in, you have the option of saying “remember this machine”.
And depending on the service you’re using, you can say just remember this machine or some will say remember this machine for 30 days. But for that period of time on that specific machine, often that specific browser on that specific machine, you will not have to prove your identity beyond knowing your user account name and password. The reason that is so still incredibly secure, is that the folks that are trying to hack into your account don’t have access to your machine; they do not have a machine on which they have successfully logged into your into your account. They may, at worst have your account name and password.
But with two-factor authentication turned on the first time they try to log in from any machine, it will require them to enter in the second factor, which they don’t have. That’s why two-factor authentication is so incredibly powerful. Now, you can of course set up an additional identity verification app, you can do run through this process again, if you like. So if you want it to have both Google Authenticator, and Authy, and the Microsoft tool that I’m running, all connected and connected separately, so they’re not all sharing the same authentication codes, you can do that. That’s not the approach that I take as I was mentioning, I use Authy so when I do go through this process of scanning a QR code, everything gets remembered automatically across the devices on which I have Authy installed.
What I want you to do that immediately after having set something like that up is scroll down here in the Microsoft account settings to replace or set up a recovery code. In my case, I needed to log in again. In your case, you may not, you’ll probably need to log in again, if you haven’t done it for a little while. The idea here, as I was saying is that the recovery code is something you can print or copy, paste and save somewhere secure. If you ever lose your phone, as I was leading up to if I ever lose my phone, right now, this is the only place I have a second factor. If I lose this phone, I cannot log into my account, perhaps.
But if there are run the risk of not being able to log into my account the recovery code is your safety net. It is something that you save securely for any emergency such as having lost your second factor. When you try to log in, and it asks for your second factor, you will be either giving this recovery code in its place, or you will have an option to say I don’t have my second factor, it will ask you for your recovery code. Microsoft, as you can tell, this looks like looks a lot like a product key.
And I’m sure it uses the same encryption mechanism. It is not a product key. It’s just their standard way of displaying what is essentially a very long, complex password that they set and save for you that you get to use exactly once in an emergency. They strongly recommend that you don’t store your recovery code on a device naked. That statement by itself is true. You should not store the recovery code on a device. I do but as I said, I encrypt it first, I save it somewhere that is secure. So that it’s not something that somebody can just stumble on.
But this is how you would regain access to your account, should you not be able to use your second factor now, very often. So let’s go ahead and we’ll go ahead and save that. Let’s assume that I saved it somewhere safe. Setting up a security key; a security key is one of these. This is a yubikey. There are several made by different manufacturers and it can be the second factor associated with your account. It acts in various ways depending on the application asking for you to prove that it exists.
The short version is that when the app asks you for a second factor It will ask specifically for any security key that you’ve configured. I’m going to go ahead and step ahead here so that you can see what it’s asking you to do. There are two different kinds USB, actually, this one does both, but it’s obviously USB. It’s something that you stick into a USB port. When you associate it, what happens is, you press on the button that is here in the middle of the key, and it actually enters some information into your computer. I believe there’s a private protocol, but in the worst case, you can actually plug this in, fire up Notepad, hit the button, and it acts as a virtual keyboard and you can see what looks like a random string of numbers get entered. That is the confirmation that you have the key in your possession.
Like the authenticator app that we just did, your key is associated with your account. The information that’s stored on your key is unique to the key; every key is different. And when you associate your key with the account like this step is about to do, then what you are doing is providing or setting up a permanent and unique link to this specific key; it becomes your second factor. For people that like physical keys have, you know, like, you can see I’ve got this one on a small carabiner so I can carry it with me.
For people that like physical keys, it is extremely secure. You can add more than one and I know of at least one reader who suggests you always get two; you associate two, and you store one safely in a safe for example, so that in case you ever lose the first one, you always have the second one to fall back on. It’s very similar to my recommendation that you set up a recovery code and store that in a safe place. I’m not gonna actually associate that here today, simply because my machine you’re looking at is a virtual machine, and we have to jump through a couple of hoops to make my physical USB port for this key, actually associated with a virtual machine. But that’s what you would do if you did a virtual, if you used a security key.
Let’s see, Windows Hello is the fingerprint reader on your machine. If you have one, I’m not going to touch on that right now; trusted devices are simply those machines that it thinks you have logged in on. If, for example, I’ve signed in on my laptop, I’ve jumped through the two-factor authentication hoop to make sure that I don’t need to enter two-factor authentication over and over again. If I then lose that laptop, there are two approaches to dealing with that.
One is to immediately come here and remove all the trusted devices associated with your account, which means that every device will the next time you log in with your account, require that you enter that second factor for two-factor authentication. The other thing, of course, that we more often recommend is that you change your password.
That is also a good option. And in my recommendation, honestly, is that you do both security contact info. So I’ve mentioned a couple of times that when you don’t have your second factor, or in some cases when the service wants some additional verification that you are who you say you are, they will accept your password, but then require that you enter a code sent to an alternate email address.
These are those alternate email addresses. You can have multiples of these. When you get the request for a security number sent to your alternate email address. It may send them to more than one of these or it may allow you to select one of them to send to. It depends on the service, I believe Microsoft lets you select which one, you’ll notice that these accounts are also labeled as will receive alerts. So for example, as you add second factor authentication devices to a machine, or especially if you remove a second factor authentication option from an account, the system will send an alert message to make sure that you know that this happened in case somebody unauthorized does this without your permission.
The other thing that I do want to do though is I do want to go ahead and I am going to go ahead and actually add a phone number. And the phone number that I’m going to add may surprise you. I have to see if I can bring it up here real quick. Not the number itself. And I honestly don’t care if you know this number, because it’s not a number that I ever answer. So, and it is texting that number that number, a code that I have to enter that actually came in already 4823. And I have now added a text messaging number to my account. You can see it says won’t receive alerts.
Those are options. You can see change alert options, you could have a text you everything’s every time something happens on your account. The magic behind that specific number, and the reason I’m bringing it up right now is that that is actually a Google Voice number. You’ll notice I didn’t grab my phone to receive the SMS. If you set up a Google Voice number, which is still free you can use that as an SMS target. For any of the services that you might be interested in using that for, I happen to use it for my voicemail, I’ve got a couple of them. I never answer that number; it always goes directly to voicemail and any text messages that I get received by that, by that number get ignored. But you can see that it’s great for the scenario where we’re using today, where I can set up this example.
One of the reasons I bring that up specifically is because it is a situation where the most common lockout situation involving two-factor authentication for people that are traveling, especially when they’re traveling overseas, they when they’re overseas. This is one of the times that Microsoft will automatically trigger a request for additional validation that you are who you say you are. If you’ve enabled two-factor authentication, then that will be enough. If you’ve got the authenticator app that you’re using as your second factor, that should be enough because that does not require connectivity.
It simply requires that your phone, your device that has that second factor, have the right time. It’s all time based. But as long as it’s close on time, then that second factor you enter from the mobile device app will work. However, not everybody does that, not everybody has two-factor authentication enabled. The second factor then that Microsoft goes to is your alternate email addresses – the ones that we’ve set here, or in some cases, the SMS number that we’ve set here. If you can’t access those email accounts or you don’t have access to your phone, because you’ve traveled overseas and are outside of your carriers area, you can’t log into your account. I bring this up specifically because this Google Voice number if I could log into my Google number or if I could log into my Google account that is associated with this, I can receive SMS text messages. And I can then use those as my second factor for things like my Microsoft account as I’ve done here.
So we now have a couple of different email addresses we can use when logging in. We have security info, I think this is Yeah, that’s just adding more phone numbers, more email addresses if you want to, and we can get ourselves alerted. Let’s do something dramatic. I’m going to fire up a different browser just so that we can see if so outlook.com will sign in and now it’s asking for the email address. I have one. The password LastPass again is remembering it for me; I’ll go ahead and have a keep me signed in. And now it’s asking me for the code. I will say go ahead, don’t ask me again on this device.
The code currently showing on my device is, is 59 – 594434. And we’re logged in successfully using two-factor authentication. That was a lot about two-factor authentication specifically for Microsoft. The important thing that I want to leave you with in talking about two-factor authentication is, it is by far the single most important way to secure your account. Even if your password is ever disclosed accidentally or through a breach, the person that has your password cannot login to your account unless they have your second factor, they won’t. Your second factor will be on your mobile phone. I
It’ll be the key in your pocket. It’ll be the alternate email address that you have access to. Set those up. Make sure that they’re set up, make sure especially in the case of alternate email addresses and phone numbers, make sure that they are set up and that they are kept current. One of the very common ways I hear about people losing access to their account is that they set them up a years ago with an alternate email address that they no longer have access to. They lose access to their account, they forget their password.
There’s nothing we can do. So make sure you avail yourself of all of the options available in whatever surface you have. Primary, alternate email addresses, SMS, alternate phone numbers, two-factor authentication, multiple types of two-factor authentication, multiple devices if that’s what you want to secure yourself with, a recovery code, make sure you’ve got a recovery code set up saved and squirreled away somewhere safe. And that way, especially for those all important accounts, you may get your password hacked; it could happen. You won’t care because nobody will be able to get into your account without your second factor.
Full Ask Leo! Live Event
If you found this article helpful you'll love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and increase your confidence with technology.
Subscribe now, and I'll see you there soon,
Footnotes & References
1: The normal HD recording — 1920×1080 aka 1080p — didn’t happen because I neglected to push a button. “HD” downloads for this video are at 1280×720, aka 720p.