Applies to: Microsoft account, Xbox account & Office account
When helping people online, I often come across people who have been unfortunate to have had their accounts hacked/compromised. Unfortunately, for most people, by the time people realise and come asking for help getting their accounts back, it is too late.
If you are someone who is unfortunate to have their account compromised, please take a look at this article on how to recover your account: How to recover a hacked or compromised Microsoft account - Microsoft Support
This article will go through recommendations to help you keep your Microsoft account secure. Most of the tips in this article can be applied to other accounts such as Facebook, Google and other accounts you use online.
In a world where we are constantly using technology for personal and work use, it is imperative that we know how to keep our accounts secure which makes it harder for attackers to gain access to our accounts and personal information.
Creating a strong password
Creating a strong, secure, password is important. This is your first layer of protection against hackers who are trying to gain access to your account. When creating a password, you want to make sure it is:
More than 8 characters in length (combination of capital letters, lower case letters, numbers, symbols),
More than one word joined together (example: LondonUnitedStates) that are not linked to each other,
Not something that people can easily guess or find online about you,
Not your maiden’s name,
Not written down,
Not the same passwords you have previously used.
So, a password that would be strong enough may be something like this ~L0nd0nUn1tedStat3s2014
The example above uses symbol (~), capital letters, lower case letters, numbers (0 instead of O, 1 instead of an L, 3 instead of an e and a random year that is relevant for something else.) and has two words joined together which have no relevance to each other. This makes it harder for someone who is trying to guess your password to guess correctly.
Checking on Password Check | Kaspersky, it will take 3641 centuries to guess the password
Figure 1: Shows the result of using ~L0nd0nUn1tedStat3s2014 as a password on the https://password.kaspersky.com/ site
When creating passwords for other sites, such as Facebook etc…, you can make use of the password generator which is built into Microsoft Edge. This article will walk through how this works: Keeping your accounts secure using Edge - Microsoft Community
If you are using Google Chrome, you can use this article to learn more about the generate password feature in Chrome: Generate a password - Computer - Google Chrome Help
If you are using Firefox, you can use this article to learn more about the generate password feature in Firefox: How to generate a secure password in Firefox | Firefox Help (mozilla.org)
Keeping security information up to date
It is important to keep this information up to date so you can access your sensitive information stored on your account (such as bank/billing, security information, devices, and stored passwords) when you need to. You can use your security information to reset your password when you have forgotten it.
When you have two-step verification turned on, it will make it harder for the hacker to gain access to your account because the system will ask them to choose a security option to verify it is the owner logging into the account. This means that they will have to either, hack your alternative email address (Once they have found out the username) or get access to your phone (Either physically or by hacking into it) or security key.
Most people add their security information then leave it. If you change your phone number and don’t update this information with a new phone number, then it will make it harder for you to get access to your account unless you have more than one option.
I recommend having more than one option on your account such as:
One email address (My other personal email address which is secure),
One phone number (My main phone number),
A security key (Kept with my keys),
The Authenticator app (On my phone).
Security proofs
Having security proofs on your account allows you to verify it is you who is trying to sign into your account. These are also used when you are resetting your account password as you can choose which security proof you are going to use to receive a security code for your account.
By having security information stored on your account, you can easily gain access to your account and your security information. Making it difficult for the hacker to gain access to your account.
Adding security proofs
To add security proofs to your account, you will need to go to your Microsoft account overview page here: Microsoft account | Security
Because you are accessing sensitive information, you may need to verify it is you (known as a security challenge). Once you have completed this, you will be directed to your security page.
This is where you can manage your security information, view your sign-in activity, review your data and devices.
You want to click onto manage how I sign in in the account tile.
This will take you to another page where you can view all your security information that is stored on your Microsoft account. You will see this information under the heading Ways to prove who you are
If you don’t have any security information on the page, it will look something like this
To add security information, please click onto Add a new way to sign in or verify
This will bring up a window that will ask you what type of way you are wanting to add to sign in or verify your identity.
If you click onto show more options, it displays another option which is to text a code to your phone.
The use an app option is the Microsoft Authenticator app. We explore this option in more detail underneath. You can set up a face, fingerprint, PIN or security key with the top option. This is a separate pin that is created that is stored on your account. Any Biometric data is stored on the device.
When you click onto the option for Face, fingerprint, PIN or security key. You are asked what devices you wish to store this information onto.
You will just need to follow the instructions on screen to set this up.
The option for email a code or text a code allows you to enter a new email address or phone number on your account.
When adding an email address to your account, don’t add work or school addresses. While this can be tempting to do, you must realise that this is not secure because your admin is able to access your work/school account. Thus, they could access your Microsoft account if they went through the recovery process when they click “Forgot password” when signing into your personal account.
The other side effect of having your work/school account is that the admin can disable this account. Thus, you won’t have access to your work/school account to obtain a code if you needed to. This will mean that you will be unable to access your account if you have just got your work/school account as an option.
Removing security proofs from your account
If you have security information you no longer need, or have access to, on your account. You can remove this information by clicking onto the option you wish to remove.
This will expand the security information where you can view when it was added, if it is receiving alerts about your account activity, when it was last used and what it is used for.
To delete the item, you need to click onto remove
Removing this option will send an alert to other security options that are set up to receive alerts on your account activity.
Using the Authenticator app
The Microsoft Authenticator app is a good app to install onto your phone. When you sign into your account from devices that are not trusted, or are trying to access sensitive information, you will be asked to verify a code which has been sent to your Authenticator app.
You will be able to verify the code it has provided you when you click onto the notification banner.
Downloading the Authenticator app
The first thing you will need to do is download the Authenticator app onto your phone. You can click onto the link for your device:
When you visit the page for the store for your device, you should be able to sign in and click onto the button to install on your device.
Adding your accounts to the app
When the app has installed onto your device, you will need to click onto the app and sign into your Microsoft account.
After you have done this, you want to go back to the Microsoft account security page here: Additional security options (live.com)
You will need to sign into your account as you are accessing sensitive information. Once you have done this, you should be taken to a page where you can see the ways you can prove who you are.
Under the section Ways to prove who you are, you want to click onto Add a new way to sign in or verify.
A window will pop up on your screen that will provide you with a list of options you can use to verify it is you or sign into your Microsoft account. You want to click onto the middle option called Use an app.
This will take you to a new page where you can follow the onscreen instructions to set up your Authenticator app. After you have done this, you will see on the list you have a method called Enter a code from an authenticator app
Two-step verification
Turning on two-step verification is a good way of protecting your account. Two-step verification is a multi-factor verification that helps keep your account secure by providing an extra level of protection.
When you, or someone else, is signing into your account from a device that is not trusted, it will ask you to verify a code using a security method listed on the security page (Security proofs). This means that for anyone hacking into your account would need to make sure they have access to your devices or security information to continue.
How to enable two-factor authentication
To enable two-factor authentication you will need to go to your Microsoft account security page here: Additional security options (live.com)
As you are accessing security information, you will be required to sign in. If you have two-factor authentication enabled already, it will ask you to use a security method to gain access to this page and verify it is you.
Once you are on the page, at the top of the page you will see two-step verification along with its status (if it is on or off). You want to click onto the “Manage” link under this option.
This will take you to a new page where it will tell you how to set up your phone with an app password. You will need to follow these instructions on your screen by following the instructions it provides you with.
Once you have done what the page is asking you to do, please click onto next
Once you have completed the instructions. It will return you back to the security page where you will see that you have two-factor authentication enabled.
Going passwordless
This idea may sound crazy; however, it is more secure than you think. By going passwordless, it means that every time you wish to sign into your account, you need to sign in by using your Authenticator app on your phone.
This makes it harder for a hacker to gain access to your account as they must have access to your phone to be able to sign into your account. On top of this, they must have access to your phone each time they want to sign into your account. As most accounts are hacked via the internet, where the hacker doesn’t meet the person in person, you can see why this can be more secure.
However, this doesn’t mean the account becomes un-hackable. Hackers are still able to hack into your account, but it will be much harder for them to do this.
To enable this feature, you will need to go to your security page here: Additional security options (live.com)
Once you have signed in, you will need to scroll down to the section called Additional Security. You will see an option called Passwordless account.
You want to click onto Turn on. On the image above, it says turn off as I have this option enabled.
Recovery codes
You have an option to save and download recovery codes. These can be used when you have lost access to your account and no longer have access to the security information on your account. You will be asked for the recovery code for your account.
Once you enter the code it will allow you to log in. You can change the information on your account, so your information is up to date.
To generate a recovery code, please go to the security page here: Additional security options (live.com)
You want to scroll down to the bottom of the page to the section called Recovery code
Under this heading, you will see a blue hyperlink titled Generate a new code. You want to click onto this so it can generate a code for you.
You want to save this code in a safe place you can only access. This can be stored on your phone as a picture, downloaded and saved as a file on your PC or printed out and stored somewhere safe. This will allow you to gain access to your account using this code when you need to.
_________________________________________________________
I hope you found this article helpful. If you have any suggestions for this article, please comment them. If you have a question about setting up security proofs, please ask a question using this link: Ask a Question (microsoft.com)
Article information:
Article published: 26/08/24