Secure Your Microsoft Account Before Someone Else Does
Add up what one Microsoft account controls: the login to your Windows PC. Your Outlook mail. OneDrive, holding whatever Documents and Pictures sync there. Your BitLocker recovery keys, if you followed my encryption guide. Xbox and Microsoft 365 purchases. For a lot of people it is, functionally, their digital estate — guarded by a password invented years ago and a phone number.
This is a one-sitting fix. Open account.microsoft.com, sign in, click Security, and work down the page with me.
The first ten minutes: from password to passwordless
Microsoft is unusually good here — it's one of the few major providers that lets you delete your password outright, and an account with no password offers nothing to phish, leak, or stuff.
First, install Microsoft Authenticator on your phone and add your account (Security page → Advanced security options → Add a new way to sign in → Use an app). Approve a test sign-in so you know it works. Notice it uses number matching — the sign-in screen shows a two-digit number you must type into the app. That's not friction for its own sake; it's the design that defeats the push-bombing attacks that plagued simple Approve/Deny prompts. I dissect those attacks in a companion piece.
Then the satisfying part: on the same Advanced security options page, find Passwordless account and turn it on. Microsoft walks you through confirming via the app, and then — there is no password anymore. Sign-ins happen by app approval, Windows Hello, or a passkey. If you're not ready for that leap, the fallback position is a long random password from your manager plus the Authenticator as second factor; but having run passwordless for a long time now, the leap is smaller than it looks and the peace of mind is larger.
While you're on this page, add a passkey too if offered on your devices (Add a new way to sign in → Face, fingerprint, PIN, or security key) — passkeys are the same phishing-proof idea with broader industry momentum, and the full story is in my passkeys guide.
The next five: evict your phone number
Scroll your sign-in and verification methods. If your phone number is listed as a way to sign in or verify, you've left a side door keyed to your SIM card — and SIM-swap attacks transfer that key to a stranger at a phone-store counter. With the Authenticator working, remove the phone number as a sign-in/verification method.
Two replacements for what the number used to do:
- The recovery code. Advanced security options → Recovery code → generate it, and store it somewhere genuinely offline — printed in the drawer with your passport, and/or in your password manager. This single code is your way back in if the phone dies. Microsoft shows it once; treat the moment accordingly.
- A second method on different hardware — a passkey on a second device, or the Authenticator's encrypted backup so a replacement phone can restore it. Locking the account down hard and then locking yourself out is a self-own this paragraph exists to prevent.
Five more: see who's been knocking
Click Sign-in activity. Almost everyone who reads this page for the first time gets a small shock: a wall of failed sign-in attempts from countries you've never visited. Breathe — those are credential-stuffing bots mechanically trying leaked password lists against every Microsoft account in existence (a phenomenon I unpack in the password-leak runbook). Unsuccessful attempts mean the system is holding.
What you're actually auditing for is successful sign-ins that weren't you — wrong place, wrong time, unfamiliar device or app. Find one and the response is immediate: Change password (or rotate methods, if passwordless) via the "Secure your account" flow, then sign out everywhere (Advanced security options → Sign me out) to burn any stolen sessions.
The cleanup nobody does: aliases and stale access
Two last stops, five minutes:
Make your sign-in name unguessable. Your info → Sign-in preferences (account aliases). Here's an underused trick: the email address the world knows doesn't have to be the one that can sign in. Add a new alias nobody knows (some random-word invention @outlook.com), set it as primary for sign-in, and disable sign-in for your public address — it keeps receiving mail normally. Now the credential-stuffing bots aren't even knocking on a real door: they're trying passwords against a username that can't log in.
Audit what else has keys. Devices: remove machines you no longer own (sold laptops linger here for years — and if you're about to sell one, pair this with a proper wipe). Privacy → Apps and services with access: revoke anything you don't recognize or stopped using. Old third-party apps with mailbox access are exactly the kind of quiet, forgotten grant that turns a minor third-party breach into your problem.
Quick questions
What if I lose my phone? That's what the recovery code and second method are for — which is why they were a required stop, not an optional one. With code in drawer and a backup method registered, a lost phone is an errand, not an emergency.
Does passwordless break Windows sign-in or Office? No — Windows Hello (PIN/fingerprint/face) signs you into the PC as before; the PIN is device-local, unlocks the TPM, and never travels, so it isn't a "password" in the dangerous sense. Modern Office and apps authenticate through the same approval flows.
Is the old Hotmail address I barely use worth this effort? If it's a recovery address for anything else, yes — attackers chain accounts, and the rusty side door is their favorite entrance. If it's truly orphaned, consider closing it instead of leaving it lying around.