What is your most valuable online account, the one that deserves the most protection? If you have a personal Microsoft account, that account should be among those you guard most jealously. This is especially true if you use that account and its associated email address to sign in to one or more Windows computers or to create and save documents using the Office apps in Microsoft 365 and Microsoft’s OneDrive cloud storage service .
In this post, I list seven steps you can take to help you close that account so it’s safe from online attacks. Your goal is to prevent an unauthorized person from stealing your account credentials and using them to access your private information.
As always, there’s a balance between convenience and security, so I’ve divided the steps into three groups based on how tightly you want to lock down your Microsoft account.
Also: 6 simple cyber security rules to live by
And here’s an important note up front: This article is about the free consumer Microsoft accounts used with Microsoft 365 Family and Personal editions and the personal OneDrive service. These accounts are typically associated with an email address that uses the @outlook.com domain, although older accounts may also use @hotmail.com, @live.com, or @msn.com. Security settings for business and enterprise Microsoft 365 accounts, using the OneDrive for Business cloud service is managed by domain administrators through Entra ID (formerly known as Azure Active Directory), using a completely different set of tools.
How much security do you need?
Baseline: The baseline level of security (steps 1-3) is perfectly acceptable for most casual users of Microsoft services, especially those who do not use their Microsoft email address as a primary factor for signing in to other sites. If you’re helping a friend or family member who is technically unsophisticated and intimidated by passwords, these options will do just fine.
The first step is to create a strong password for your Microsoft account, one that is not used by any other account. Next, you’ll turn on two-step verification (Microsoft’s term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. Enabling that feature requires you to provide additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as changing your password or adding a credit card to your account to add. The additional verification typically consists of a code sent in an SMS text message to a trusted device or in an email message to a registered alternate account.
Finally, you’ll save a recovery code that allows you to access your account if you forget that password and don’t have access to any other authentication methods.
Better: Those baseline precautions are sufficient, but you can significantly tighten security with the actions outlined in steps 4 and 5.
Also: User forgetfulness drives preference for biometrics over passwords
First, install the Microsoft Authenticator app on your smartphone (it’s available for iPhone and Android devices) and set it up to use as a sign-in and verification option. Then add a secure email address as a backup factor to verify your identity.
Maximum: The last two steps provide the utmost security, adding at least one physical hardware key along with the Microsoft Authenticator app, then removing SMS text messages as a backup authentication factor. With that setup, you can still use your cellphone as an authentication factor, but a would-be attacker won’t be able to break into your account by intercepting text messages or hijacking your cellphone account.
That setup puts significant roadblocks in the way of even the most determined attacker. It requires an extra investment in hardware and it certainly adds some friction to the sign-in process, but it’s by far the most effective way to secure your Microsoft account.
Let us begin.
Here’s how to close your Microsoft account
First things first: You need a strong, unique password for your Microsoft account. Microsoft requires a minimum password length of eight characters, but security experts recommend that you make your password longer. A good length is 12-16 characters, with any random combination of upper and lower case letters, numbers and special characters. You can also use a passphrase consisting of four or more randomly selected words separated by a special character such as a hyphen.
The best way to ensure you’ve met this requirement is to use your password manager’s tool to generate a brand new, random password or passphrase. (No password manager? Try an online option like the 1Password Strong password Generator or the Bitwarden Password Generator.)
Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you may have accidentally reused is not part of a password breach.
Also: The best password managers to save you from login problems
To change your password, go to the Microsoft Account Security Basics page at https://account.microsoft.com/security/. Log in, if necessary, then click Change Password. (But don’t check the box that requires you to change your password every 72 days. That’s sure to annoy you, and it won’t make your account significantly more secure.)
Follow the instructions to save the new password with your password manager. Feel free to write it down, if you prefer a physical backup. Just be sure to store the paper in a safe place, such as a locked file drawer or a safe.
Do not leave the Microsoft account security page yet. Instead, scroll up to the Two-Step Verification section (under the Additional Security heading) and make sure this option is turned on.
The setup process is a fairly simple wizard that confirms you can receive verification messages. If you’re using a modern smartphone with an up-to-date version of iOS or Android, you can safely ignore the prompts to create an app password for the mail client on those phones.
The next step is to save a recovery code. If you are ever unable to log into your account because you forgot the password, accessing this code will prevent you from being permanently locked out.
If you set up two-step verification, as you did in the previous step, you will automatically be prompted to create a recovery code. If you haven’t kept a copy of that code, you’ll need to create a new one. On the Microsoft Account Security Basics page, find the Advanced security options section and click Get Started. This takes you to the not-so-basic Microsoft Account Security page. (To go there directly, bookmark this address: https://account.live.com/proofs/Manage/additional.)
Also: How AI can improve cybersecurity by leveraging diversity
Scroll to the bottom of the page and find the Recovery Code section. Click Generate a new code to display a dialog box like the one shown here.
Print out that recovery code and file it in the same locked file cabinet or safe where you put your password. (Microsoft allows you to generate only one code at a time for a Microsoft account. Generating a new code invalidates the old code.)
And now for some more advanced security options.
Smartphone apps that generate time-based one-time password algorithm (TOTP) codes are an increasingly popular form of multifactor authentication, and I highly recommend their use for any service that supports them. (For more on these options, see “Protect Yourself: How to Choose the Right Two-Factor Authentication App.”)
Even if you use another authenticator app for most services, I recommend using Microsoft Authenticator with your Microsoft account. In this setup, any login attempt that requires authentication sends a push notification to your smartphone. Approve the request and you’re done.
Also: The easiest thing you can do to keep your phone safe
An added bonus is that the Microsoft Authenticator app can be used for passwordless login as well as authentication.
To set up Microsoft Authenticator with a Microsoft account, go to the advanced Microsoft Account Security page and click Add a new way to sign in or verify. Select the Use an app option and then, after installing the Microsoft Authenticator app, sign in with your account credentials.
Microsoft recommends that you have at least two forms of authentication available in addition to your password. If you need to reset your password, when two-step verification is enabled, you’ll need to provide both of those forms of identification or risk being permanently locked out.
A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address secured by a professional IT staff is a much better choice. If necessary, you can have a verification code sent to that email address.
Go to the advanced Microsoft account security page and click Add a new way to sign in or verify.
Select the Email A Code option, enter your email address and then enter the code you received to confirm that verification option.
This step is the most advanced of all. This requires an investment in extra hardware, but the requirement to insert a device into a USB port or make a connection via Bluetooth or NFC adds the highest level of security.
For an overview of how this type of hardware works, see “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”
Also: The best security keys to protect yourself and your business
To set up a hardware key, go to the advanced Microsoft account security page and click Add a new way to sign in or verify. Select the Use a security key option and then follow the prompts. You will need to enter the PIN for your hardware key, then touch to activate it. When that setup is complete, you have a powerful way to sign in to any service powered by your Microsoft account without struggling with passwords.
As I mentioned at the beginning of this article, most people don’t need this level of advanced protection. But if your OneDrive account includes valuable documents like tax returns and bank statements, you’ll want to lock it down as tightly as possible.
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news
