Microsoft today announced some new security features that have now arrived for Windows Live users to take advantage of. A massive problem for users of many services but especially services like Hotmail which are very popular, is getting their accounts hacked so that they can be used to send spam out. Today Microsoft has added 2 more important features to their arsenalĀ of defenses to allow users to protect their account from being hijacked and also to allow users to recover hijacked accounts.These additional features are called Proofs and are basically ways to verify that you own the account without having to know the password, so that if you forget the password OR the account is hijacked and the password is changed, you can still prove that you own the account and get it back into your control.
For a long time Microsoft has provided two Proofs that you can set up to so that you can recover a forgotten password. They were the secret question and the alternate email. Basically if you could not access your account, then you said you had forgotten your password and an email was sent to the alternate email address you provided, with instructions on resetting it. To be able to successfully reset it, you also had to answer the secret question that you provided the answer to when you set the account up. The problem was, 25% of people forgot the answer to their secret question and therefore could never gain access to the account again. Today Microsoft added 2 more Proofs to your account and I highly recommend taking the time to set these up.
The first of these new Proofs is the mobile (or cell) phone number. You can now associate a mobile phone number to your account which means that instead of answering your secret question, you can opt to have a code SMSed to your mobile phone, which you are then prompted to enter. This means that the attacker would need to have your mobile phone (which is incredibly unlikely) to be able to gain access to your account, but also means that you can easily gain access to your account if it's compromised because you're the only person who's likely to have access to your phone. Adding your mobile phone to your Windows Live account is also used in a second feature that I will mention shortly.
The second of these new Proofs is the concept of the Trusted PC. Basically the concept is simple - the attacker isn't going to have access to your computer (it's extremely unlikely that they even know you) so if you're using your computer to access your account, it must be you. So you can add your computer as a Trusted PC and if you ever lose access to your account and attempt to reset the password from your Trusted PC, you're automatically verified and the reset is successful, giving you access to the account again. So far adding, removing or changing any of these Proofs has required you to have confirm this change through ones of the other Proofs. So adding a new mobile number sends an email to your alternate email address to confirm you want to add that number, adding a new email address sends a code to your mobile number to verify you etc etc. This is to prevent an attacker from simply adding their own Proofs into your account. Once you add a Trusted PC however, then any further changes made to Proofs from that computer are automatically accepted, which makes sense.
So I highly recommend adding these additional Proofs to your Windows Live ID right now. It only takes a few minutes to complete and once you do it, then you know that it will be extremely hard for you to ever permanently lose access to your account, even if it is hijacked. To add them, you can either go directly to http://account.live.com/ OR on any Windows Live page (which for most of you probably means Hotmail) click on your name in the top right hand corner and choose Account from the menu. You may be asked to re-enter your password and then you'll be taken to this screen. Here you can can simply click Add next to the Proofs you wish to add (I recommend adding at least one of each type if possible) and follow the steps. Note: from my testing, adding a Trusted PC only works if you visit the website in Internet Explorer (other browsers seem to throw up an error saying the Windows Live Essentials are not installed). Ones that are working properly are labeled with Confirmed next to them. If they do not say this, then you need to confirm them before they will work.
Now I previously mentioned that adding a mobile number to your account is useful because it enables a second feature and that feature is called Single Use Codes. If you ever use a computer which you are not sure is secure (aka it could have key-loggers on it), which is likely in most internet cafes, then you can use Single Use Codes to prevent an attacker from logging your password through a keylogger. What you do is enter your email address in, then request a Single Use Code. A code is sent to your set mobile phone number and then you enter that code in instead of your password to sign in. The code can only be used once, so although the keylogger may log it, it is of absolutely no use to them.
Requesting a Single Use Code
Entering A Single Use Code
So with all these security features protecting you, Windows Live appears to be a safe place to hold an email account and share photos. Of course, you still need to make sure that you have strong passwords that aren't easy to crack and use common sense and never give away your password, but in situations where attackers do manage to gain access to your account, you now have the tools to take it back easily. The last security feature which is planned for later this year is full session SSL security. This means that not only will your login be 100% secure (with the padlock showing) but your entire email session will also be secure too which is a good thing.
