How to set up two-factor authentication (2FA) on a Microsoft account
If you use a Microsoft account, you should enable two-step verification to add an extra layer of security, and here's how.
Microsoft accounts come with support for two-step verification (also known as "two-factor authentication," "2FA," or "multi-factor authentication") to add a second layer of verification to increase security, making it harder for hackers to gain access to your data and your Windows 11 computer.
In short, if the password were compromised, it'd be virtually impossible to sign into the account since the malicious individual would need a second form of authentication that only you can provide.
If you want to set up two-step verification, you will have to use the Microsoft Authentication app. Once the feature has been enabled, it will prompt you to authenticate with your phone to verify you are you.
In this how-to guide, I will walk you through the steps to configure two-step verification on your Microsoft account to prevent unauthorized access to Outlook, OneDrive, Microsoft 365, Xbox Network, and other Microsoft services.
How to enable two-step verification on Microsoft account
Configuring the two-step authentication security feature requires having the Microsoft Authenticator app on your phone and then enabling the option in the Microsoft account.
Set up Microsoft Authenticator app
The first step to add an extra security layer to your account is configuring the Microsoft Authenticator app. These steps are meant to set up the app on an Android device but should be similar for iOS devices. (If you already have the app on your phone, you can skip the steps below and continue with the feature setup instructions.)
To install the Microsoft Authenticator app on Android, use these steps:
Get the Windows Central Newsletter
All the latest news, reviews, and guides for Windows and Xbox diehards.
- Open Google Play Store.
- Search for the Microsoft Authenticator app.
- Tap the Install button.
- Tap the Open button.
- Tap the I agree button to continue.
- Tap the "Sign in with Microsoft" button.
- Confirm your Microsoft account address.
- Click the Next button.
- Confirm your account password.
- Click the Sign in button.
- Select the verification method — for example, a secondary email address.
- Complete the verification.
- Tap the Got it button.
- Tap the OK button (if applicable).
Once you complete the steps, a notification will appear on your phone to approve and continue the sign-in automatically when signing into your account.
Set up two-step authentication
The next step is to set up two-step authentication on your Microsoft account. However, before proceeding, it is critical to have multiple contact information to prevent getting locked out of the account. If you need to update your security information, use the steps below to continue setting up the feature.
To enable the verification feature, use these steps:
- Open Microsoft account (web).
- Sign in with your credentials (as needed).
- Click the Security tab.
- Click the "Advanced security options" tile.
- Click the Turn on option for two-step verification under the "Additional security" section.
- Click the Next button.
- (Optional) If you use the Outlook app on your phone, select the platform, and follow the directions to enable the app to sync your emails with an app password.
- Click the Next button again.
- Click the Finish button.
After you complete the steps, when logging in from an unrecognized device, you will receive an alert on the phone to confirm access to the account.
How to add security info for two-step verification
When you enable two-step verification on a Microsoft account, the second form of authentication request will appear every time you sign in. Also, if you forget the password, you must have two contact methods to regain access. As a result, before enabling the feature, you must ensure the account has at least three secondary contacts, which can be a mix of emails or phone numbers.
To add security information to a Microsoft account, use these steps:
- Open the Microsoft account on the web.
- Sign in with your credentials (as needed).
- Click the Security tab.
- Click the "Advanced security options" option.
- Click the "Add a new way to sign in or verify" option under the "Ways to prove who you are" section.
- Select the verification option — for example, "Email a code," but you can choose an app, SMS message, Windows Hello, or security key.
- Confirm the alternative email address.
- Click the Next button.
- Check the code in the alternative email account.
- Confirm the code on the Microsoft account page.
- Click the Next button.
Once you complete the steps, as you access the account, you can complete the security code using one of the contact methods on the account.
How to create an app password for two-step verification
The two-step authentication method is not supported by all platforms and apps, which means that in some cases, you may need to create an app password to access a Microsoft product like Outlook.
To create an app password on a Microsoft account, use these steps:
- Open Microsoft account (web).
- Sign in with your credentials (as needed).
- Click the Security tab.
- Click the "Advanced security options" option.
- Click the "Create a new app password" option under the "App passwords" section.
- Use the generated password on the app or device that doesn't support a security code.
- Click the Done button.
After you complete the steps, the app will be able to access the Microsoft account while two-step verification is enabled.
Delete app passwords
To delete an app password on a Microsoft account, use these steps:
- Open Microsoft account (web).
- Sign in with your credentials (as needed).
- Click the Security tab.
- Click the "Advanced security options" option.
- Click the "Remove existing app passwords" option under the "App passwords" section.
- Click the Remove button.
- Click the OK button.
Once you complete the steps, the existing app passwords will be deleted from the account, revoking app access on any device on which you had the account configured.
How to disable two-step verification on Microsoft account
Although not recommended, you can disable 2FA to use the traditional authentication process.
To disable two-step verification, use these steps:
- Open Microsoft account (web).
- Sign in with your credentials (as needed).
- Click the Security tab.
- Click the "Advanced security options" option.
- Click the Turn off option under the "Additional security" section.
- Click the Yes button.
After you complete the steps, you will continue to receive security access codes when the system detects a security risk.
If you turn off the security feature, you must also update the services you previously configured with an app password to use the traditional authentication method (password).
More resources
For more helpful articles, coverage, and answers to common questions about Windows 10 and Windows 11, visit the following resources:
Mauro Huculak has been a Windows How-To Expert contributor for WindowsCentral.com for nearly a decade and has over 15 years of experience writing comprehensive guides. He also has an IT background and has achieved different professional certifications from Microsoft, Cisco, VMware, and CompTIA. He has been recognized as a Microsoft MVP for many years.