Particularly relevant after my discussion of Canadian banking password policies, Microsoft is adding two-factor authentication to Hotmail, Outlook.com, the Windows Store, and other Microsoft services. Articles such as “Two-factor authentication finally heading to Microsoft Accounts” make it obvious that this is overdue (my emphasis). Unfortunately it’s not released to the public yet, but if you use any of these Microsoft services then I recommend you use it when it becomes available.
Use two-factor authentication for your e-mail!
In fact, I STRONGLY recommend you use two-factor authentication for your e-mail account wherever you have e-mail.
The reason is simple: Most websites allow you to change your password using a “forgotten password” feature that will send a confirmation notice to your e-mail. Thus, if a hacker can breach your e-mail account, they then basically have access to every website you use on the internet, because they can ask that website to send a forgotten password e-mail. The hacker then gets that e-mail, and uses it to change the password on your [banking/twitter/Facebook/whatever] website to something they know.
This is not imaginary, it actually happened to reporter Mat Honan.
More in my next post about how this impacts companies implementing security – which is of course all of them…