Scott Hanselman

Setting up Two-Factor Authentication for your Google account AND Microsoft account

April 19, 2013 Comment on this post [37] Posted in Tools
Sponsored By

Two factor auth for Microosft and Google within the Google Authenticator app

I use Two-Factor Authentication for my Google Apps account and I use the Google Authenticator application on my iPhone to generate the second factor.

Microsoft Accounts (formerly Live Accounts) just launched Two-Factor Auth and you should set it up now. That means SkyDrive, Outlook.com/Hotmail as well as the Windows Azure Dashboard can now be fronted by two-factor auth.

If you already use two-factor for Google, you can ADD your Microsoft account to the Google Authenticator application on your Android or iPhone. That means I can use one Authenticator application for all accounts which is extremely convenient.

The process for setting up two step authentication on a Microsoft account is:

  1. Get an Authenticator app.
  2. Head over to https://account.live.com/proofs/Manage and login to your Microsoft account.
  3. Run your Authenticator app and scan the barcode with your phone's camera
  4. Enter the number you're given and click Pair.

Microsoft accounts can scan a bar code to setup their two factor auth.

PRO TIP: If you have two factor auth turned on for BOTH Microsoft Accounts and Google Accounts, make sure you click Edit and change the display name of your accounts so you can tell them apart! I appended [MS] and [GOOG].

You can also set this up and use the same app for Dropbox, LastPass and more sites every day.

The process for Google is similar. Get the app installed, and go to the Google 2-step verification page. I've been running two-step since it came out and the annoyance is minor compared to the comfort of a little extra security.

Note that some apps (like the mail app on your phone) may not support two-factor auth, so you'll need to create an application-specific password for those apps. It's a one-time password just for the apps that need them and you can revoke those passwords anytime.

Have fun and be secure!

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Hosting By
Hosted in an Azure App Service
April 19, 2013 22:20
I, like you have been using 2-step for a long time. It's a fairly hassle free way to make it that much harder for someone to read your rivetting email and view your breathtaking pictures ;)

I would also add that Dropbox added 2-factor a few months back, which also works with these standard authenticator apps and there is a cool article on how to add it to your own Asp.Net app here http://www.codeproject.com/Articles/403355/Implementing-Two-Factor-Authentication-in-ASP-NET

Finally, back up your code to a physical medium! Print it out and put it in your safe or some other physically secure place. You may lose your phone, do a factory reset, have multiple phones that you want your authenticator on...lots of scenarios like that. It's good to have, even though most systems do have at least one failsafe built in for you to recover your account.
April 19, 2013 22:26
Chris - Which code do you "backup to paper?" The QR code?
April 19, 2013 22:29
yep, exactly. Just click the "i can't see the bar code" and it will reveal the key that sets up the account. Google has a similar process for their setup as well.
April 19, 2013 22:53
Great article Scott. Thanks for the tip!

I had some trouble editing the names in the Google Authenticator app, but it eventually worked.
April 19, 2013 22:53
Good as this news is, I can't help but wish they had enabled yubikey authentication which I currently use. I see a yubikey as being far more resilient than a phone and more convenient to carry around, and less likely to be stolen.
April 19, 2013 23:17
Dafydd - I see two problems with that. Microsoft doesn't make the yubikey, but they do a mobile phone os. Second, since yubikey is a usb device, it would not work with phones, tablets or other devices without a usb port.
April 19, 2013 23:21
Try out Duo Mobile instead of Google Authenticator. Pretty icons, better user experience, easier to rename accounts, etc.

http://guide.duosecurity.com/third-party-accounts

Download for: iPhone, Android

(Disclaimer: I work for Duo.)
Tom
April 19, 2013 23:37
The new Outlook.com app for Android doesn't seem to be playing well with 2-factor authentication at the moment. Just configured it all and after putting in the code from Google Authenticator it sends me to an authorization screen and granting permissions there throws up an error "Authentication failed." Wondering if anyone else is having the issue.
Dan
April 19, 2013 23:51
For BlackBerry 10, there's Authomator. Same functionality as the other auth apps, and looks good too! I have a few accounts running 2-factor auth via this app.
April 20, 2013 0:17
It works in reverse also. I have a windows phone which has the Microsoft Authenticator App. I can now use that for both Windows Live, and Google. Just FYI.
April 20, 2013 0:26
Steven - Ah, great to know! Thanks!
April 20, 2013 0:31
@Dan -- Did you generate an app password for the Outlook Android app once you enabled Two-Factor Auth?
SK
April 20, 2013 1:01
Adam, the new yubikey supports RFID, designed for the new breed of phone. Also yubikey is opensource, MS can see how secure, or not it is, and contribute.
April 20, 2013 1:20
Adam, my phone has a usb port
Rik
April 20, 2013 1:31
Dan, the outlook.com issue is being worked on now. Sorry.
April 20, 2013 1:38
Great! I used Facebook two-factor athentication with a text message I never got. But hopefully this solution will work good.
April 20, 2013 2:01
Another pro tip: Note that if you added a Google and Microsoft account like I (and Scott) did and you the edit button doesn't work if you want to add [GOOG] and [MS] you might need to delete one or the other for it to function properly.
April 20, 2013 2:32
@Omar - Thanks for the update.
Dan
April 22, 2013 6:24
@RobIII

No need to delete in iOS, just click 'Legal Information' first, then try 'Edit' again.

See https://twitter.com/leftside/statuses/161128520620318723
April 22, 2013 13:11
Hello all,
If, like me, you use Google Authenticator and you use your Gmail address as your MS log in, scanning the MS QR code will overwrite the your Google account authentication settings.
Instead you need to add the account manually ("Enter Key Provided") rather than scanning the QR code!
Hopefully this will save someone some pain!

P.
April 22, 2013 13:39
Hi all, after setting up 2 factor auth my Sky Drive app started failing on iOS. It just would not accept my password. It turns out that Sky Drive on iOS does not support 2 factor auth so you have to create an app password for it (look at the bottom of Scott's post about generating app passwords). You then enter the app password into the password field, not your original password, and hey presto, we're in.

Hope this helps others because my phone almost became a Frizbee over this ;-)
April 22, 2013 18:31
Am I missing something or it is not possible to add multiple accounts to the Google Authenticator app on Android?
April 22, 2013 18:57
Actually, I was using the gmail address as my MS login. Thanks for the tip Paul!
April 22, 2013 20:59
If you are like me and have more than one device you can setup Google Authenticator on multiple devices as long as you scan the barcode at the same time. So put all your device side by side, generate the barcode and scan it in for each device. You can't do it after the fact.

April 22, 2013 22:21
Here is how to use a YubiKey with Gmail ('Google’s 2 step verification'); I would be if it did not work with Microsoft's implementation as well.
Jed
April 24, 2013 0:17
Hi.
Is possible to link other MS account to MS account with 2way auth ? if yes how. i cant do that :/ by this link ..://
https://account.live.com/AddLink.aspx
April 25, 2013 1:54
I set up 2-factor Auth yesterday on my home PC. Logging into Azure today on a different PC and it does not ask for a code. It just accepts a password and logs in.


April 25, 2013 12:32
*** one BIG problem ***

If you have two account with different providers that have the same login ID then the second addition will overwrite the first.

I have an MS account that uses my gmail address as the login. Scanning the MS QR in GAuthenticator replaced the existing GAccount! The secret behind the Authenticator item is different. So it fails against G.

So, it is very IMPORTANT that if you have this situation then rename your the Authenticator item for Google _first_. Then add the MS (or other provider) account. Then rename it.

It you manage to fubar your Authenticator you can re-add the G account by going to "2-step verification" settings in your G account and use the "Move to different phone" option. A bit scary but it will present you with a QR code to rescan into the same phone.

Hope this helps someone.

--A
May 01, 2013 4:54
Thank you very much Scott,

this is a very great feature. At first I had a tricky problem:

I used my gmail address as primary account address for my microsoft account too. After I was scanning the QR-Code for Microsoft 2-Step authentication, Google Authenticator on my droid did simply override the 2-STEP authentication from google with microsoft.
I had to reset the Google Authenticator on my droid again by visiting: https://accounts.google.com/b/0/SmsAuthSettings

After that, I changed my primary email address in my Microsoft account, by visiting: https://account.live.com/ChangeId.aspx

Finally after creating an extra [MyName]@live.at email account, everything worked fine with 2 different authentication accounts stored in Google Authenticator on my droid!

Kind regards, Heinrich Elsigan.
May 17, 2013 9:19
@Steven I was wondering how it works and your statement made it clear ;)
May 21, 2013 5:43
one more thing comes to my mind, auth code via sms always fails to deliver, this is way better in practical ;)
August 21, 2013 19:14
Two factor authentication is great. Thanks for the Google Authenticator tip. I was using the Authenticator app on my Windows Phone, but needed something for iPhone to work with SkyDrive.
September 07, 2013 14:13
I recently started using the authenticator app on my iphone to get into my msn hotmail. Until a few days ago, I had an update for the app which I updated. Now it has completely changed to what I know and I don't understand how to use this or even get the code to sign in, which also means I can't access my account. What can I do to get into my account or even take of the verification security just for now?
September 08, 2013 20:58
If you have Blackberry 10 devices, use the built-for-blackberry "Authomator" app. It supports Google, Microsoft, and Facebook authentication codes and can scan barcodes.
Gil
September 13, 2013 0:04
This stuff assumes that you have a phone, and that it's on a network that works everywhere in the world you might want to access your email account. For people who travel a lot, it's unworkable.
September 13, 2013 3:22
Ron - Actually, no, the Authenticator apps don't require ANY network access once they are set up. I use them all over the world, even in Airplane mode.
November 22, 2013 17:27
One of the most annoying things about microsoft 2 factor authentication is it ALWAYS refuses to work with my google authenticator. It did work for a while but not matter how many times I pair it using either method (scan or number) then it simply refuses to recognise the number my authenticator generates.

I have had to turn it off which I don't like.

I have no idea who to complain to so I'm ranting in this old (really good) post. I can't be the only one surely ?

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.