Word on the street says that Microsoft will soon be doing the two-step, too.
So, with appropriate caution given that all roads seem to emanate from the same place, here are some screenshots of liveside’s screenshots.
This one shows what purports to be a new option in the Security info tab of the Microsoft account configuration interface:
And here’s what is supposed to be the initialisation step for the newly-activated 2FA feature:
It’s not clear exactly what the “Don’t ask me for a code” tickbox is for, but it looks as though you will be able to exempt your most commonly-used device (say, your day-to-day laptop) from needing 2FA-protected logins.
I hope that’s not the case, because 2FA adds real value if you use it as a matter of routine, not if you use it only in special cases.
Sure, you can argue that an oft-used and cherished laptop is less likely to get you into trouble with a keylogger than, say, a PC in an internet cafe or a kiosk at the airport.
And if you genuinely cherish that oft-used laptop, and your oft-used accounts, you’ll want only the best levels of security every time you use them.
Adding further veracity to the liveside claims is the quietly recent appearance of the Windows Phone Authenticator app in the Windows Phone Store:
Incidentally, Microsoft’s own Phone Store summary reassures you that the app “implements industry-standard security code generation,” and one of the screenshots from liveside’s stash advises you:
If you have an iOS, Android or BlackBerry device, search your app store for an authenticator app.
So it looks as though you’ll be able to buy into Microsoft’s 2FA without buying a Windows Phone on which to run Microsoft’s app.
Furthermore, a commenter on liveside claims that the “Use a different verification option” in the second screenshot above leads to a configuration page on which you can choose SMS-based verification codes if that’s what you prefer.
Are you convinced?
I must say that the word-on-the-street sounds pretty believable, and if it’s true, then it’s great news.
(On the other hand, the selfsame street blithely assured us that Microsoft’s most recent Patch Tuesday update for Internet Explorer would fix the vulnerabilities exposed at the 2013 PWN2OWN competition, but that turned out to be untrue.)
Anyway, even if everything here is spot-on, you can’t force horses to drink, albeit that you have led them to water.
So if (or when) this feature does go live, it will be interesting to see how quickly and widely Microsoft cloud users will adopt it…