ADVERTISEMENT

We help teams move faster The first project management platform built for users by users.

MICROSOFT 365

By Peter Deegan • Comment about this article

Is that multifactor authentication setup complete and truly ready to handle any situation?

Two-factor (2FA) or multifactor (MFA) authentication is just the start of securing your important accounts.

All too often, I hear from people who’ve set up extra login verification and can’t get it working. It might have been configured in such a way that access is allowed when your phone is lost or stolen, SMS (text messaging) isn’t working correctly, or the authentication app is broken.

If you lose access to your main authenticator app, you can still access your Microsoft Account by using an alternative recovery method such as a text message or a backup email address. With two-step verification turned on, you will need to have access to two recovery methods.

There is more than one way to verify a login, and you should know about them before something goes wrong. I’ll use a Microsoft account for these examples, but similar things apply to other major account logins such as Google, Apple, Facebook, Twitter/X, and others.

Please tell me you do have multifactor authentication set up on all your important logins, especially email. People often focus on banking sites but overlook crucial mailbox and social-media security. If someone gets into your mailbox, they can lock you out, use the stored emails to find out more about you, and access those accounts using email verification links. If your mail provider doesn’t have MFA, that’s yet another good reason to move to a better mail service.

Some services, such as Microsoft, now require MFA for all accounts. Unfortunately, some people just set up the basic verification without taking the extra steps necessary.

Microsoft offers many ways to verify a login (see Figure 1). It’s best to set up as many as you can from the Advanced Security page of your Microsoft account profile.

Figure 1. Microsoft account setup with many MFA methods

Email a code — A verify code can be emailed to an alternate email address (see below) or the main mailbox, depending on the situation.

Text a code — The code is sent to a mobile phone (SMS). More than one number can be set up, handy for us world travelers. Please do not rely only upon SMS for verification, because sometimes text messages don’t work.

Send sign-in notification — A verification request can be pushed to the Microsoft Authenticator app.

Enter a code from an authenticator app — Any compatible authentication app can be set up to generate a code.

Use a passkey — A passkey uses the device’s secure login (Windows Hello facial recognition, fingerprint, or PIN). Passkeys have been around for a few years but have only recently been released as an option for Microsoft personal accounts.

Choose Add a new way to sign in or verify to add another MFA method (see Figure 2). It’s quite possible to add the same method — for example, multiple authentication apps or passkeys — more than once.

Figure 2. Add another verification / MFA method.

Check the verification methods occasionally. More than once, I’ve struggled to help people log in because they’ve changed email addresses or phone numbers without updating their backup verification details.

It’s smart to set up authentication apps on different devices to allow access to an account. If one device isn’t available, you can switch to another.

I like Authy, a free and well-respected authentication app that works across many devices (iPhone, Android, and Chrome browsers). You can set up a verification in Authy, and it’ll appear automatically on your other devices. The Authy website also has a handy guide to setting up authentication for many different services.

Figure 3. Authy covers all the major accounts and syncs between devices.

It’s not normally necessary to use a company’s specific authentication app — for example, the Microsoft Authenticator for Microsoft accounts or the Google app for Google. All the auth apps work with multiple accounts from different companies, because they all use the same underlying and standard authentication system. The Microsoft Authenticator has the advantage of accepting push notifications, which are easier than copying a code.

Major login accounts such as Microsoft and Google also offer an alternative email address option, another important recovery avenue.

An alternative email address can get notices of major changes to an account (e.g., password changes) and also provide another way to authenticate a login via an email with confirmation link.

The alternative address should use a separate company with a different login. I’ve seen people use an email alias as the alternative — but that’s useless, because the backup email goes to the same mailbox that you can’t log in to!

If you have a Microsoft mailbox, use a Gmail or Yahoo account for the alternate. If you don’t have an alternative mailbox, set one up — because they have other uses beyond login recovery.

Do you know where your recovery password is? Do you remember that there are recovery codes?

Recovery or backup codes are long text strings that are alternative ways to get into an account if login verification isn’t available.

When MFA is set up, you’re offered a recovery password and encouraged to save it. Too many people don’t bother or, more likely, forget about recovery passwords when they’re needed.

There’s a way to get a new recovery password. Go to Microsoft’s Ways to prove who you are page (Figure 4) and scroll down to the very bottom. The new recovery code is displayed on the screen.

Figure 4. Recovery code setup for Microsoft accounts, showing an example code

Google has 10 “Backup codes” available at the account Security page.

Storing recovery passwords is a tricky thing. Microsoft suggests printing or taking a picture. The code needs to be saved somewhere that is both secure and easily accessible when the need arises. Saving them in cloud storage linked to the same Microsoft account is a bad idea, reminiscent of the Spike Milligan joke “Open crate with crowbar provided inside.”

Ideally, you set up the authentication app with your accounts on your new phone before erasing data (i.e., Factory Reset) on the old phone. But that’s not always possible, such as when the phone is stolen.

If you can’t access your authentication app for any reason, there are alternative login verifications including:

Another aspect of account recovery is planning for death or considerable disablement.

Apple offers a specific feature for this, called a Legacy Contact. The designated person can access your account after you’re gone, by submitting to Apple the access key code (generated when you choose the legacy contact) and a death certificate.

Microsoft doesn’t have a specific option for accessing the account of a deceased person. The closest thing you can do is set up an email or phone verification for your trusted person. (Turn off alerts so they aren’t bothered too often.) Also give them a copy of the recovery code. Make sure the trusted person knows how to access your important accounts, including social media.

Just setting up a secure login isn’t enough. Make sure you take the extra alternative and recovery steps to allow for the unexpected.

Contribute your thoughts in this article’s forum!

Peter Deegan is the author of Windows 11 for Microsoft Office Users, Microsoft 365 for Windows: Straight Talk, Eye-Catching Signs with Word, Christmas Cheer with Office, and others. He has been the co-founder and editor in chief of the Office Watch site and newsletters since they started in 1996.

ADVERTISEMENT

Enjoying the newsletter? Become a PLUS member and get it all!
	Don’t miss any of our great content about Windows, Microsoft, Office, 365, PCs, hardware, software, privacy, security, safety, useful and safe freeware, important news, analysis, and Susan Bradley’s popular and sought-after patch advice. PLUS, these exclusive benefits: Every article, delivered to your inbox Four bonus issues per year, with original content MS-DEFCON Alerts, delivered to your inbox MS-DEFCON Alerts available via TEXT message Special Plus Alerts, delivered to your inbox Access to the complete archive of nearly two decades of newsletters Identification as a Plus member in our popular forums No ads We’re supported by donations — choose any amount of $6 or more for a one-year membership.