Microsoft Outlook 2-step Verification: Not Actually 2-Step

Easier to unlock than
you may think.

I'm a fan of using Outlook e-mail. When two-step authentication came out for Outlook I was excited that Microsoft changed their mind about temporary single-use codes being a sufficient solution - as it still left the system vulnerable to access from a simple text password if it was known. Unfortunately it's not really two-factor authentication...

The implementation of two-step authentication for Outlook hasn't been applied correctly. Two-step should check for, at least:

 1. Something a user knows
 2. Something a user possesses

Well, there's an unfortunate hole in the latter from Microsoft. It's great to give users options. But in this case you are allowed to select from multiple verification methods: 

 - Call your phone number
 - Text your phone number
 - Use an authentication App on your smartphone (not shown in the screenshot)
 - Send an e-mail to your linked e-mail account.

Unfortunately the last option to e-mail your backup e-mail address, if you have one set in Outlook, is a weak point - it's simply just another password. So the Achilles' heel of this verification system is the lack of enforcing verification method 2: "Something a user possesses". Although it could be argued you 'possess' the other e-mail account, it's not something you physically possess, and it is just another password that something a user should know. I say should, because a lot of people just save their passwords in their browsers and forget them.

Convenience at the cost of Security: Allowing e-mail verification.

This situation of selecting "Email to verify" is not much better than a single password, in this case it's just knowing two passwords when the other e-mail address is known. And in a worse case scenario, the user may have the same password for both e-mail accounts (Outlook and another), then the "not-quite two-step verification" is bypassed by only knowledge of one password.

The easy solution here is if Microsoft would allow users to disable the e-mail verification option if they so wish, or preferably, by default disable that option, then allow users to explicitly allow e-mails for verification at their own choosing, via user settings, and then raise a warning about the fact that the selected verification option is weaker, and not satisfying two-step.

This is something Google has definitely done right at this point.

Keeping it simple and secure.

I look forward to seeing Microsoft fix this flaw, which is providing a false sense of security to its users!