There are a variety of apps you might use with your Microsoft account. Some examples include Outlook, Microsoft 365, Microsoft Office, OneDrive, Skype, Teams, Xbox and signing in to Windows devices. For more information on additional security features please visit Microsoft’s website. Multi-factor authentication What is MFA? Multi-factor authentication or MFA is a way to improve the security of your most important accounts. It requires you to produce a combination of two or more of the following authentication types before granting access to an account: something you know (e.g. a PIN, password or passphrase); something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and something you are (e.g. a fingerprint, facial recognition or iris scan). Two-factor authentication (2FA) is the most common type of MFA, requiring two different authentication types. Why is it important to turn MFA on? MFA makes it harder for cybercriminals to gain initial access to your account by adding more layers of authentication, requiring extra time, effort and resources to break. Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from criminals trying to break in. How do I turn MFA on? How to turn on MFA depends on the software or service you are using. However, the steps are somewhat similar for most applications. Icons and language may differ slightly depending on the software or device you are using. Turn on MFA for your Microsoft Account These steps will show you how to turn on MFA for your Microsoft Account. After you turn on MFA, you’ll need both your password and an additional authentication method to log in to your Microsoft account. This could be a security code from an authenticator app, SMS, or phone call. Alternatively you could get a notification to the Microsoft authenticator app on your smartphone. MFA makes it harder for cybercriminals to access your account and it could also alert you to any suspicious activity. This means if your password is guessed or stolen and a cybercriminal is trying to login to your account, you will be sent a security code or notification. This will prevent them from logging in to your account as they won’t have the security code or you can deny them entry if you use the Microsoft authenticator app. You can then change your password to secure your account. If you don’t have MFA turned on, you may not get notifications on attempts to log in to your account. This guide will show you how to set up MFA for your Microsoft Account on your computer. If you don’t have access to a computer you can follow these steps on any device, however some screens may appear different than pictured. 1. Open an internet browser (for example Google Chrome, Microsoft Edge, Mozilla Firefox or Opera). Go to the Microsoft Office website and select Sign in in the top right corner. 2. Enter your sign in information and select Next and then enter your passphrase and select Sign in. 3. Select your account profile icon or picture in the top right of the screen and select My Microsoft Account. 4. Select Security in the top banner. 5. Select Two-step verification. If you don’t already have a recovery method for your account (such as an alternate email address or phone number) you will now be prompted to set one up. A recovery method can help you get back into your account if you lose access. Follow the on-screen prompts toset up a recovery method. You may see a prompt about setting up a feature to ‘sign in without a password’. This is a feature offered by Microsoft and an alternative to setting up your account with a password. For more information, see Microsoft’s official website. 6. Select Manage under ‘Two-step verification’ 7. Read the information and select Next. 8. Select which method of MFA you would like to use. The ACSC recommends using an authenticator app on your smartphone. 9. If you don’t have one already, install an authenticator app on your smart phone by going to the App Store or Google Play Store, installing your chosen authenticator app and then following the prompts to set up the app. Microsoft recommends the Microsoft Authenticator app pictured below. 10. Once you have your authenticator app installed and set up, select Next. 11. Open the authenticator app on your smart phone and scan the QR code. Enter the code generated by the app and select Next. Store your recovery code in a secure place and create a backup of it in a secondary place. This will help you access your account if you lose access to your authenticator app. Select Next. 12. If you have an app or smartphone that needs an app password, follow the on screen prompts for your device. Most modern smartphones and apps accept security codes, so an app password won’t be necessary. Select Next if you do not require an app password. 13. If you have an older device or application that cannot accept a security code (for example an Xbox 360 or Microsoft Office 2010 or earlier) you can create an app password. Follow the on screen prompts to learn more about app ,passwords. If you do not require an app password select Finish. 14. On your security dashboard, check that two-step verification is now turned on. If you replace your smartphone, remember to move your authenticator app to the new device by using the backup and recovery feature. Security tips for securing your Microsoft account We have included some additional security tips to help keep your account secure. Add security information Additional security information is a phone number or alternate email address used to contact you or send you security codes if your account is compromised. For more information see Microsoft’s website. Use passwordless Passwordless is a way to securely sign into your account without a password. Instead you sign in with your username and then confirm it is you with the Microsoft Authenticator app on your phone. For more information see Microsoft’s website. Don’t share MFA codes or approve unknown sign in attempts Requests for sign in approval and the security codes you get are Microsoft’s way of checking that you are the person who signed in. If you give someone else your MFA code or approve unknown sign in attempts then someone else might be able to log into your account. Never approve unknown sign in attempts or give anyone else your MFA code. Remember to transfer your authenticator when you change devices If you are using an authenticator app for MFA and you get a new device, make sure you transfer it to your new device before disposing of or resetting the old one. We recommend adding a recovery method to your account and saving your backup codes in case you lose access to your authenticator app. Keep your apps up to date For security reasons it is important to keep your apps up to date. Wherever you are logged into your account, make sure the apps are up to date, whether it be an internet browser, Microsoft Office, email or other apps on your phone. Updates often include important security upgrades. Keep your OS up to date It is also important to keep your operating system up to date. Updates will have important security upgrades. Ensure that all computers and phones have the most recent version of software and if a device is no longer supported by software updates or security updates, consider replacing it. Check your recent activity If you receive an email notifying you of unusual activity, you can see when and where your account has been accessed—including successful sign-ins and security challenges— on the Recent activity page. Microsoft learns how you usually sign in to your account and flags events that are suspicious. Keep your devices safe If you lose or give away a device that you use to sign in to your Microsoft account, or if you know that someone else has access to your devices for whatever reason, be proactive and remove the trusted status from your devices. To remove trusted devices, go to the Security basics page, select more security options, scroll down to Trusted Devices, and then select Remove all the trusted devices associated with my account. For more information, see how to add a trusted device to your Microsoft account.
