Yes, a Microsoft account is free. But it can be very useful if you use it for your email and online storage. Follow these seven steps to establish strong security and protect this account from intruders.
What is your most valuable online account, the one that most deserves to be protected? If you use a Microsoft account to sign in to a Windows PC, that account and its associated email address need to be protected the most.
This is especially true if you use OneDrive storage with that Microsoft account, and it contains all of the documents that you create and edit using Microsoft 365 Office apps .
In this article, you will find seven steps you can take to protect your account from online attacks. As always, you’ll need to strike a balance between what’s right for you and safety. For this, you will find three possible levels of security, depending on the severity with which you want to lock your Microsoft account.
This article is for consumer Microsoft accounts used with Microsoft 365 Home and Personal editions. Security settings for Microsoft 365 work and corporate accounts, which use the OneDrive for Business cloud service, are managed by domain administrators through Azure Active Directory, using a completely different set of tools.
Level 1: basic security
Most PC users can get by with this basic level of security. This is especially true if you don’t use your Microsoft email address as your primary identifier for signing in to other sites. If ever someone close to you who has little technical knowledge, or even who is intimidated by a password, asks you for help, offer this option to them.
At a minimum, you should create a strong password for your Microsoft account, a password that is not used by any other account.
Additionally, you should enable two-step verification (Microsoft’s term for multi-factor authentication) to help protect against phishing and other forms of password theft. When this feature is enabled, you must provide additional proof of your identity when you log in for the first time on a new device or when you perform a high-risk activity, such as paying for an online purchase. The additional verification usually consists of a code sent by text message to a trusted device or by email to another registered account.
Level 2: intermediate security
While these basic precautions are usually sufficient, there are a few extra steps you can take to make your account more secure.
First, install the Microsoft Authenticator app on your iPhone or Android device, and configure it to use as a sign-in and verification option. Then remove the option to use SMS to verify your identity.
With this setup, you can still use your mobile phone as an authentication factor, but a potential attacker will not be able to intercept text messages or spoof your phone number.
Level 3: maximum security
For maximum security, add at least one physical hardware key to the Microsoft Authenticator app and optionally remove email addresses as a fallback verification factor. This setup places significant barriers in the path of the most determined attacker.
It does require an additional investment in hardware and certainly adds some friction to the sign-in process, but it’s by far the most efficient way to secure your Microsoft account.
Step 1: create a new strong password
First, you need a strong, unique password for your Microsoft account. The best way to make sure you’ve met this requirement is to use the tools in your password manager to create a brand new password. If you don’t have a password manager, you can try an online option, like 1Password or LastPass .
Creating a new password ensures that your account credentials are not shared with another account; it also ensures that an old password that you may have inadvertently re-used is not part of a password violation.
To change your password, go to the Microsoft Account Security Basics page at https://account.microsoft.com/security/ . Identify yourself, if necessary, then click on “Change password”.
Generate a brand new password to make sure you don’t accidentally reuse an old password.
Follow the instructions to save the new password using your password manager. Please note that if you prefer a physical backup. Just be sure to keep the paper in a safe place, such as a locked drawer or a safe.
Step 2: print a recovery code
Print out a recovery code and keep it in a safe place; you will need it if you lose access to your account.
The next step is to register a recovery code. If you are unable to log into your account because you forgot the password, access to this code will prevent you from being permanently blocked.
On the Microsoft Account Security Basics page, find the “Advanced Security Options” section and click “Get Started.” This takes you to the Microsoft account security page, which is not that simple. To go there directly, put this address in your favorites “”: https://account.live.com/proofs/Manage/additional .
Scroll to the bottom of the page and find the “Recovery Code” section. Click “Generate New Code” to display a dialog box like the one shown above.
Print out this recovery code and store it in the same locked filing cabinet or safe where you stored your password.
Good to know: Microsoft allows you to generate only one code at a time for a Microsoft account. Generating a new code makes the old code invalid.
Step 3: enable two-step verification
Do not exit the “Account Security” page immediately. Instead, scroll down to the “Two-step verification” section (under the “Additional security” heading) and make sure this option is turned on.
The setup process is a fairly straightforward wizard that confirms that you are able to receive verification messages. If you are using a modern smartphone with an updated version of iOS or Android, you can ignore the prompts to create an app password for the email client on those phones.
Step 4: Add a secure email address as a means of verification
Use this dialog box to add secure verification options to your account.
Microsoft recommends that you have at least two forms of verification in addition to your password. If you need to reset your password, when two-step verification is enabled, you will need to provide both forms of identification, otherwise you will be permanently blocked.
A free email address, like a Gmail account, is fine if your security needs are minimal, but a work email address is a much better choice. If necessary, you can have a verification code sent to this address.
Go to the advanced security page of the Microsoft account and click on “Add a new way to sign in or verify”.
Choose the option “Send a code” by email, enter your email address, then enter the code you receive to confirm this verification option.
Step 5: Configure the Microsoft Authenticator app
Smartphone apps that generate Time-based One-time Password Algorithm (TOTP) codes are an increasingly popular form of multi-factor authentication, and I highly recommend using them for any service that supports them.
Even if you use a different authenticator app for most services, I recommend using Microsoft Authenticator for your Microsoft account. In this configuration, any connection attempt requiring verification sends a push notification to your smartphone. Approve the request, and voila.
An added benefit is that the Microsoft Authenticator app can be used for password-less login as well as verification.
To set up Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft account security page and click “Add a new way to sign in or verify”. Choose the “Use an app” option, and then, after installing the Microsoft Authenticator app, sign in using your account credentials.
Step 6: Remove SMS verification
At this point, you should have more than enough secure means to authenticate yourself and verify your identity. That means it’s time to cut the weakest link in the chain: SMS.
What makes SMS so problematic, from a security perspective, is that a hacker can hijack your mobile account. It happened to my ZDNet colleague, Matthew Miller, a few years ago, and I don’t wish this nightmare on anyone.
Before changing this setting, confirm that you have at least two other forms of verification (a secure email address and the Microsoft Authenticator app, ideally) and that you have saved a recovery code for the account. Then, from the advanced security page of the Microsoft account , expand the Text A Code section.
After adding more secure verification options, remove the weak link from SMS.
Click “Remove” to remove this option.
Step 7: Use a hardware security key for authentication
Using a hardware key, you can sign in to your Microsoft account with a simple PIN code.
This stage is the most advanced of all. It requires an investment in additional hardware, but the requirement to insert a device into a USB port or establish a connection via Bluetooth or NFC adds the highest level of security.
To set up a hardware key, go to your Microsoft account advanced security page and click “Add a new way to sign in or verify”. Choose the option “Use a security key”, then follow the instructions.
You will need to enter the PIN code for your hardware key, then touch to activate it. Once set up, you have an efficient way to sign in to any service managed by your Microsoft account without having to worry about passwords.
As mentioned at the beginning of this article, most users do not need this level of advanced protection. But if your OneDrive account contains valuable documents like tax returns and bank statements, you may want to lock it down as tightly as possible.