Microsoft Two Step Verification: The Good, The Bad, and The Ugly
I decided to give two step verification a try this morning. While I welcome added security to make things harder for the bad guys, I was a bit hesitant because I couldn’t find a clear explanation as to what I should expect. Well, it’s done and here is what I know so far.
Setting up TSV on my primary Hotmail account was relatively easy from my desktop PC. I activated they service and opted to have Microsoft send me a verification code via text (I could have also opted to get a code via phone call or alternate email address, so no worries Marti). Before I could start though, I had to unlink the new Outlook account I created when that domain became available. Microsoft indicated that I would be able to relink the account after setting up TSV (more on that later). After TSV was activated it was also easy to activate the Windows Phone Authenticator account by scanning the barcode on the screen.
I repeated the above for the new Outlook account and a business (Live) account that I use. Note: the Authenticator app can generate codes for multiple email accounts. All went smoothly. As Windows Phone and XBox don’t yet work with TSV, and require a custom generated App password, I tried accessing these email accounts from my phone and didn’t get any login errors. I also turned on XBox and didn’t get a sign in error when connecting. All good so far.
So that you don’t need to verify a device each time you login to it, you can “Trust” the device. In the past, you were able to view which devices were trusted, but no more. You can untrust ALL of your devices, but you can’t view them. So, it would be good to login to all your devices after activating TSV, and check the box, “I sign in frequently on this device”, if you don’t want to be bothered with these nag screens.
All of my phone apps that access SkyDrive would not connect after activating TSV. I needed to open the Authenticator app which generated a code for my email address, switch back to the app, enter my SkyDrive password and then my authentication code. I believe these generated codes have a short life so you need to navigate rather quickly. Hopefully, I don’t need to do this each time the apps get updated. You can find out which apps are accessing your Microsoft account by going to Microsoft Account>Permissions>Apps & Services. My apps included; SkyWallet, Handscan, CleverToDo & ShareFolder.
The SkyWallet WP app currently uses a stand alone desktop client, that allows you to access your encrypted password file which is stored on SkyDrive. The first time I tried to login to the app from my desktop, I got the, “can’t login to SkyDrive message”. I needed to login to my Microsoft account via my desktop (the WP Authenticator app won’t work for desktop app passwords, although it worked fine for phone app codes) and generate an app password (a 16 character alpha code) and copy/paste it into SkyWallet app. That worked ok. But, I use this app on both my desktop and notebook. When I tried logging in from the notebook, I got the same error. When I opened my Microsoft account from the notebook and generated an App password, it of course was different than the first one. After the copy/paste I was able to sync my password data. But opening the app on my desktop presented the same error again. I needed to write down the alpha code generated on my notebook and manually type the code into SkyWallet on my desktop. I believe the code needs to be used within a short time period so time is of the essence. That worked and subsequent openings/closings seem to be working. I know this may be an isolated issue with a particular app, but it is still troublesome. Note:
I tried accessing SkyDrive via the All My Storage Win 8 app and had no problems from my “trusted” devices. Update: When trying to access a TSV SkyDrive account, not connected to my device (desktop/notebook/tablet) I needed to delete the account, re-created the account, log back into SkyDrive with that account’s credentials and then enter the code created by the WP Authenticator app. Same process as with setting up the WP apps.
I have tried several times to re-link my Outlook account to my Hotmail account, as Microsoft said I could after activating TSV. But it’s a no go. I even went through the trouble of activating TSV on that account (tried before and after) with no luck. So, I guess their still working on it, maybe.
I expect to find a few more issues in the next couple days which always seems to happen when something appears too easy to be true. But after all these years, I am anything but surprised. Goes with the territory.
Hey Jim, did you take this plunge for the sake of upping your accounts’ security, because you have some sort of curiosity to charter the digital landscape or to be able to recount the experience for the sake of others and/or to collect tips on how to mitigate some of the frustrations from our readers? All of the above?
Good luck with that linkage situation. Out of curiosity, were you to bail out of the two step verification system now, would you then be able to re-link your domain or did you do some indefinite damage here?
Sort of all of the above. More security is always better, but I was concerned about how this two-step thingy would work regarding third party apps. Couldn’t find an answer so I decided to dive in myself. And always willing to share my early adopter experience, good or bad.
At the office this morning, still entering authentication keys and generated app passwords for third party apps, One Note and Outlook, which was a big surprise for me. The PC is already trusted. You would think that Outlook 2013 would also be. And of course, the dialog box in Outlook asking for your email password (which is really asking for the secret generated app password) does not permit paste. So I had to transcribe the 16 character alphacode yet again. But I guess it is all worth it, provided a contracted CS rep from Microsoft does not give away the farm when someone calls claiming their me, begging to be let in to my account.
The relink is for an Outlook.com address, to eventually replace my Hotmail.com address, when I get a new phone and need to reset everything. No idea why they won’t let me relink the account. Not that big a deal, as that account is currently sitting idle. But it could be when I start using the account. And yes, there is an option to turn off two-step verification. But this last time I turned something off from Microsoft (a SharePoint account) they completely closed my attached Hotmail account. Took five days of phone calls to get my address back. Don’t want to repeat that.