Outlook.com – Does Hotmail Offer Two-Factor Authentication?

authenticationoutlook.compasswords

I've read multiple news articles that claim Hotmail offers two-factor authentication. One of the articles describes Hotmail's system, saying

…whenever you go to Hotmail…you can choose to get a single-use code–a string of numbers that will be sent via text message to your phone–to use instead of your password.

Is this an accurate description of Hotmail's system?
If so, does Hotmail really offer two-factor authentication? If you can use either your password or a single-use code, it seems to me that it does not.
Is this system really more secure than just having a password? Doesn't this just make an additional "key" available to a hacker? (I must be wrong here, I know the folks at Microsoft are much smarter than I am).

Best Answer

Well your second article merely references the first, so only one article is really spreading the idea.

Hotmail doesn't have a two-factor system. As you suggest, you actually have the option of having a single use code sent to your phone to use on a public computer to login instead of a password. So in effect it is still single sign on, but you have a choice of two ways for that way to be.

Using the code is more secure in the sense that a keylogger or packet sniffer on the computer will only get a single use code that has been used, as opposed to your password. If you have HTTPS enabled (which I believe is default now) then there is also little opportunity for session hijacking as well. Just don't forget to log off!

Related Solutions

Gmail – How does Google’s new two-factor authentication work with IMAP, POP, etc.

What you need to do is generate an application-specific password for each client you want to authenticate to your Google account. Then enter the application-specific password instead of your password or password + verification code.

You can generate these application-specific passwords by going to this page (use your domain name instead of example.com):

https://www.google.com/a/example.com/IssuedAuthSubTokens?hl=en&service=mail

Google provides instructions for doing this on their Sign in to mobile or desktop apps page.

How does application specific passwords with Googles two-factor auth work

Application specific passwords are extra passwords for your account. While you give the password a name, it doesn't explicitly tie that password to a specific application. That feature allows you to easily deactivate, by device or application, the password in question.

In some respect, they could be seen as a security vulnerability. That's why you should never write them down. An app-specific password could be used by an attacker to sign-in to your account. However, I don't think there's a way to fully hijack the account (change the main password with the app-specific one). So, there's only a limited benefit to an attacker if they compromise your account with an app-specific password.

App-specific passwords are going to protect your primary authentication information from being compromised. They're required when you turn on 2-factor authentication, because there are some apps that won't accept the 2nd factor token. The app-specific password is a temporary work around until other apps can add support for 2-factor authentication.

2-factor authentication requires more than just your password (in this case, your phone) in order to compromise your account. And, in that respect, the combo of 2-factor auth and app-specific passwords are doing a whole lot of good, keeping your account safe and away from any hijacking attempts.

Best Answer

Related Solutions

Gmail – How does Google’s new two-factor authentication work with IMAP, POP, etc.

How does application specific passwords with Googles two-factor auth work

Related Topic