How to enable TOTP-based 2FA on a Microsoft account
Choosing a 2-factor authentication app #
TOTP-based authentication is a standardized system, so there are different options to choose from:
App | Platforms | Has sync? | Open source? | Notes |
---|---|---|---|---|
Authy | ✅ | ❌ | Requires Snap on Linux. Has vendor lock-in — it will not show you your codes. Has better restore functionality than other apps | |
Aegis | ✅ | ✅ | Sync is via cloud storage API | |
WinAuth | ❌ | ✅ | ||
Ravio | ✅ | ✅ | Sync is via iCloud | |
TOTP.app | ❌ | ✅ | Stored in browser cookies | |
oathtool | ❌ | ✅ | Advanced | |
pass-otp | ❌ | ✅ | Advanced |
App to avoid | Reason |
---|---|
❌ Google Authenticator | Bad vendor lock-in, no sync |
❌ Microsoft Authenticator | Bad vendor lock-in, very buggy |
After you have chosen an app #
Before starting, you should consider performing a malware checkup and browser checkup procedure to defang any current compromise on your PC from being able to steal authentication info.
In this example, we will use Authy. Login to your account by visiting account.microsoft.com or search the web for login to microsoft account
.
Scroll down and click Security
Scroll down and click Two step verification - Turn on
.
Click Next
.
Click set up a different Authenticator app
to avoid the dark pattern.
Why? The Microsoft Authenticator app is buggy and has vendor lock-in preventing you from easily switching to other services.
Go to your authenticator app and create a new entry. In this example we are using Authy.
Scan the QR code, or type in the code it generates.
Tip: You can copy this QR code or the text for later reference, and you can add the code to multiple different apps for redundancy.
Give it a name and an icon (optional) and set the token length to 6-digit. Click Save
.
Copy the 6-digit code it generates into the Microsoft website to verify that it is working properly. Click Next
.
You are done! Make a paper backup of your backup codes if you wish.
© lordpipe
Licensed CC BY — copy this document for your own use.