How to enable TOTP-based 2FA on a Microsoft account

Choosing a 2-factor authentication app #

TOTP-based authentication is a standardized system, so there are different options to choose from:

App	Has sync?	Open source?	Notes
Authy	✅	❌	Requires Snap on Linux. Has vendor lock-in — it will not show you your codes. Has better restore functionality than other apps
Aegis	✅	✅	Sync is via cloud storage API
WinAuth	❌	✅
Ravio	✅	✅	Sync is via iCloud
TOTP.app	❌	✅	Stored in browser cookies
oathtool	❌	✅	Advanced
pass-otp	❌	✅	Advanced

App to avoid	Reason
❌ Google Authenticator	Bad vendor lock-in, no sync
❌ Microsoft Authenticator	Bad vendor lock-in, very buggy

Before starting, you should consider performing a malware checkup and browser checkup procedure to defang any current compromise on your PC from being able to steal authentication info.

In this example, we will use Authy. Login to your account by visiting account.microsoft.com or search the web for login to microsoft account.

Scroll down and click Security

Scroll down and click Two step verification - Turn on.

Click Next.

Click set up a different Authenticator app to avoid the dark pattern.

Why? The Microsoft Authenticator app is buggy and has vendor lock-in preventing you from easily switching to other services.

Go to your authenticator app and create a new entry. In this example we are using Authy.

Scan the QR code, or type in the code it generates.

Tip: You can copy this QR code or the text for later reference, and you can add the code to multiple different apps for redundancy.

Give it a name and an icon (optional) and set the token length to 6-digit. Click Save.

Copy the 6-digit code it generates into the Microsoft website to verify that it is working properly. Click Next.

You are done! Make a paper backup of your backup codes if you wish.

Licensed CC BY — copy this document for your own use.