What’s your most useful on-line account, the one most deserving of safety? If you employ a Microsoft account to register to a Windows PC, that account and its related electronic mail tackle needs to be the one you guard most jealously. That’s very true if you happen to use that Microsoft account for OneDrive storage and Office 365 paperwork.
In this submit, I listing seven steps you’ll be able to take to enable you lock that account down so it’s safe from on-line assaults. As all the time, there is a balancing act between comfort and safety, so I’ve divided the steps into three teams, based mostly on how tightly you need to lock down your Microsoft account. (It’s price noting that this text is about shopper Microsoft accounts used with Home and Personal editions of Office 365, Microsoft 365, and OneDrive. Security settings for enterprise and enterprise Microsoft 365 accounts are managed by area directors by way of Azure Active Directory, utilizing a totally totally different set of instruments.)
Also: Best VPNs
Baseline safety
This stage is ample for many unusual PC customers, particularly those that do not use their Microsoft electronic mail tackle as a main issue for signing in to different websites. If you are serving to a pal or relative who’s technically unsophisticated and intimidated by passwords, it is a good choice.
At a minimal, you must create a powerful password for your Microsoft account, one which’s not utilized by some other account.
In addition, you must activate two-step verification (Microsoft’s time period for multi-factor authentication) to shield your self from phishing and different types of password theft. When that characteristic is enabled, you have got to provide a further proof of your identification once you register for the primary time on a brand new gadget or once you carry out a high-risk exercise, reminiscent of paying for an internet buy. The extra verification sometimes consists of a code despatched as an SMS textual content message to a trusted gadget or in an electronic mail message to a registered alternate account.
Also: Better than the best password: How to use 2FA to improve your security
Better safety
Those baseline precautions are ample, however you’ll be able to tighten safety considerably with a pair additional steps.
First, set up the Microsoft Authenticator app on your iPhone or Android gadget and set it up to be used as a sign-in and verification choice. Then take away the choice for utilizing SMS textual content messages to confirm your identification.
With that configuration, you’ll be able to nonetheless use your cell phone as an authentication issue, however a would-be attacker will not have the opportunity to intercept textual content messages or spoof your telephone quantity.
Also: Microsoft urges users to stop using phone-based multi-factor authentication
Maximum safety
For essentially the most excessive safety, add at the very least one bodily {hardware} key together with the Microsoft Authenticator app and, optionally, take away electronic mail addresses as a backup verification issue. That configuration locations important roadblocks in the best way of even essentially the most decided attacker.
It requires an additional funding in {hardware} and it positively provides some friction to the sign-in course of, however it’s by far the simplest approach to safe your Microsoft account.
Also: Best security keys in 2020: Hardware-based two-factor authentication
Step 1: Create a brand new, robust password
First issues first: You want a powerful, distinctive password for your Microsoft account. The greatest approach to be sure that you have nailed this requirement is to use your password supervisor’s instruments to generate a brand-new password.
(No password supervisor? Try an internet choice just like the 1Password Strong Password Generator or the LastPass Password Generator Tool.)
Generating a brand new password ensures that your account credentials will not be shared with some other account; it additionally ensures that an older password that you simply might need inadvertently reused is not a part of a password breach.
To change your password, go to the Microsoft Account Security Basics web page at https://account.microsoft.com/security/. Sign in, if crucial, then click on Change Password.
Also: The best password managers for business: 1Password, Keeper, LastPass, and more
Follow the directions to save the brand new password utilizing your password supervisor. Feel free to write it down, if you happen to desire a bodily backup. Just be certain to retailer the paper in a safe location, reminiscent of a locked file drawer or a safe.
Step 2: Print out a restoration code
Next step is to save a restoration code. If you are ever unable to register to your account since you’ve forgotten the password, having entry to this code will prevent from being completely locked out.
On the Microsoft Account Security Basics web page, discover the Advanced Security Options part and click on Get Started. That takes you to the not-so-basic Microsoft Account Security web page. (To go there immediately, bookmark this tackle: https://account.live.com/proofs/Manage/additional.)
Scroll to the underside of the web page and search for the Recovery Code part. Click Generate A New Code to show a dialog field just like the one proven right here.
Print out that restoration code and file it away in the identical locked file cupboard or safe the place you place your password.
(Microsoft permits you to generate just one code at a time for a Microsoft account. Generating a brand new code renders the previous code invalid.)
Step 3: Turn on two-step verification
Don’t go away the Microsoft Account Security web page simply but. Instead, scroll up to the Two-Step Verification part and be certain this selection is turned on.
The setup course of is a reasonably easy wizard that confirms you’re able to obtain verification messages. If you are utilizing a contemporary smartphone with an up-to-date model of iOS or Android, you’ll be able to safely ignore the prompts to create an app password for the mail shopper on these telephones.
And now for some extra superior safety choices.
Step 4: Add a safe electronic mail tackle as a type of verification
Microsoft recommends that you’ve got at the very least two types of verification accessible as well as to your password. If you want to reset your password, when two-step verification is enabled, you may want to provide each of these types of identification otherwise you threat being completely locked out.
A free electronic mail tackle, reminiscent of a Gmail account, is suitable if your safety wants are minimal, however a enterprise electronic mail tackle is a a lot better selection. If crucial, you’ll be able to have a verification code despatched to that tackle.
Go to the advanced Microsoft Account Security page and click on Add A New Way To Sign In Or Verify.
Choose the Email A Code choice, enter your electronic mail tackle, and then enter the code you obtain to verify that verification choice.
Also: Best email hosting services in 2020: G Suite, Microsoft 365, and more options
Step 5: Set up the Microsoft Authenticator app
Smartphone apps that generate Time-based One-time Password Algorithm (TOTP) codes are an more and more fashionable type of multi-factor authentication, and I extremely advocate their use for any service that helps them. (For extra on these choices, see “Protect yourself: How to choose the right two-factor authenticator app.”)
Even if you happen to use one other authenticator app for many providers, I like to recommend utilizing Microsoft Authenticator to be used with your Microsoft account. In this configuration, any sign-in try that requires verification sends a push notification to your smartphone. Approve the request, and you are finished.
An added bonus is that the Microsoft Authenticator app can be utilized for passwordless sign-in in addition to verification.
To arrange Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft Account Security page and click on Add A New Way To Sign In Or Verify. Choose the Use An App choice and then, after putting in the Microsoft Authenticator app, register utilizing your account credentials.
Step 6: Remove SMS textual content messages as a type of verification
By this level, you must have greater than sufficient safe methods to authenticate your self and confirm your identification. That means it’s time to take away the weakest hyperlink within the chain: SMS textual content messages.
What makes SMS textual content messages so problematic from a safety standpoint is the truth that an attacker can hijack your cellular account. It happened to my ZDNet colleague Matthew Miller a few years ago, and I would not want that nightmare on anybody. (For particulars and some extra safety recommendation, see “Protect your online identity now: Fight hackers with these 5 security safeguards.”)
Before you alter this setting, verify that you’ve got at the very least two different types of verification (a safe electronic mail tackle and the Microsoft Authenticator app, ideally) and that you’ve got saved a restoration code for the account. Then, from the advanced Microsoft Account Security page, develop the Text A Code part.
Click Remove to get rid of this selection.
Step 7: Use a {hardware} safety key for authentication
This step is essentially the most superior of all. It requires an funding in additional {hardware}, however the requirement to insert a tool right into a USB port or make a connection by way of Bluetooth or NFC provides the best stage of safety.
For an outline of how this sort of {hardware} works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”
To configure a {hardware} key, go to the advanced Microsoft Account Security page and click on Add A New Way To Sign In Or Verify. Choose the Use A Security Key choice and then comply with the prompts.
You’ll want to enter the PIN for your {hardware} key, then contact to activate it. When that setup is full, you have received a robust approach to register to any service powered by your Microsoft account with out having to fuss with passwords.
As I discussed in the beginning of this text, most individuals do not want this stage of superior safety. But if your OneDrive account consists of worthwhile paperwork like tax returns and financial institution statements, you may need to lock it down as tightly as potential.