Microsoft will toughen up its products' security by adding dual-factor authentication "soon," according to a report today by Liveside.net.
Judging by details in the Microsoft-focused blog, the approach closely mirrors what Google did years ago: authorization requiring both a password (the first factor) and a special six-digit code retrieved from an authenticator app on a person's smartphone (the second factor). The smartphone code changes frequently so it can't be used for long.
Microsoft offered only this comment today: "Security and privacy is a priority for Microsoft, however we have nothing new to share at this time."
However, there's a strong indicator that there's truth to the report: the availability of an Authenticator app from Microsoft for Windows Phone 7.5 and 8, published last Friday with a version 18.104.22.168 release.
One commenter said the app "also works with Google's 2-step authentication," an indication that there could be a two-way street between Google and Microsoft systems. That could be very handy since Google offers its Authenticator app for Android, iOS, and BlackBerry and many people who might want to use Microsoft services will have those types of phones.
In 2012, Microsoft acquired PhoneFactor, a provider of multi-factor authentication technology that uses phones.
Dual-factor authentication makes it harder for people to get access to your account, since those trying to get access to your account need both your password and your smartphone. Even if they get access to both, they'd also need to get past your smartphone lock screen -- you do use a password or other security mechanism, right?
However, dual-factor brings a significant hassle, too.
You must authorize your phone in advance using a pairing process.
Software and services that tap into your account -- likely including some e-mail programs, for example -- must be reworked to handle dual-factor authentication. And until they are, you must use what Microsoft apparently will call "app passwords," and what Google calls application-specific passwords.
You have to have your phone with you to log in to devices and services, which can be an annoyance if it's upstairs charging and you're downstairs working, or if you left your phone at home by mistake. It appears likely from the Liveside report that you'll be able to skip dual-factor authentication for frequently-accessed systems once you log in with the system once, though. And Google, at least, lets you print a set of authentication codes that you can use in an emergency instead of the dual-factor authentication.
A hassle it may be, but identity theft is a lot worse, especially in cases where hackers obtain account details for tens of thousands of account holders at a time. So it's no surprise that dual-factor authentication is gradually spreading around the industry.
Facebook, Yahoo, PayPal, and Dropbox already offer dual-factor authentication, with Dropbox customers able to use Google Authenticator. Twitter posted a job listing indicating its interest, too.
Updated at 8:00 a.m. PT with Microsoft's response.