I’ve finally had a chance to enable two-step authentication on my Microsoft account. As expected, it works much like the two-factor authentication Google uses with its accounts, helping to protect your account from being compromised. Here’s what I know about this important security feature so far.

As I noted in Microsoft Account Gets Enhanced Security, two-step authentication is a hugely important addition to Microsoft account, which many people—myself included—use across an ever-growing list of devices and services, including Windows 8/RT, Windows Phone, Xbox 360/Xbox LIVE, Office.com/Office 365 Home Premium, SkyDrive, Outlook.com and Hotmail, and many more. But it’s also a double-edged sword: two-step authentication can be a bit tedious at times, because once it’s enabled, you can’t always just sign-in as you did before. You sometimes need to provide a second form of authentication—a code sent to a mobile phone or perhaps a second, trusted email address—so you can really prove that you are you.

Even though it can be a pain at times, you should enable two-step authentication on your Microsoft account(s). Doing so will help prevent a malicious individual from signing in and stealing your account, even if they know your password.

For the actual owner of the account, trusted devices—which includes PCs and devices running Windows 8, RT, and Windows Phone 8—often won’t see the additional prompts that two-step authentication requires. But you also control which devices are trusted,

Enable two-step authentication

To enable two-step authentication, visit the Microsoft account management web site and then navigate to the Security info view. Here, you will see a link to set up two-step verification.

Note: You cannot have other Microsoft accounts linked to the Microsoft account for which you are trying to enable two-step authentication. If you do, you’ll be prompted to unlink the accounts.

There’s a short wizard. All you really need to do is be contacted via one of the alternate methods you previously supplied, like a second email address. Microsoft will send a code to that account—“we need one more way to make sure you’re you”—and then you enter the code and two-step verification is enabled.

Use two-step authentication

There are two ways in which two-step authentication can rear its head: A security code or an app password. Put simply, whenever you need to sign-in to anything with your Microsoft account credentials (user name and password), try doing so normally. If it works, great. Otherwise, you could be prompted to enter a security code. And if not, you’ll need an app password.

Security code. If you’ve ever done something like sign into Windows 8 with a Microsoft account and then trust the PC, you’ve seen the security code prompt: Microsoft will send a text message to your mobile phone that contains this code.

And then you must enter that code on the web site, or in Windows, or wherever you’re prompted.

That’s one form of two-step authentication—your Microsoft account credentials plus the security code—and it’s not new.

App password. New to this update, you can now also create an app password for those apps or devices that don’t work with the security code system. One example is Microsoft Outlook 2013: If you had previously configured Outlook for Hotmail or Outlook.com and then configured the underlying Microsoft account, the next time you use the application, you’ll be prompted to enter your credentials again. But your normal password will not work: You need an app password.

You can generate an app password at the Microsoft account management web site, again from the Security info view. Just tap the link Create a new app password under App Passwords. When you do, you’ll be provided with an app password that you can type (or copy and paste) into the application.

By the way, this site also works fine from mobile browsers like the one in Windows Phone. This is handy because you may run into this issue with mobile apps as well, and can use the phone’s copy and paste capability to get the app password into the mobile app that’s not authenticating properly against your Microsoft account.

Authenicator mobile app

But wait, there’s more. For those times in which you need to generate a security code but have no cellular coverage—such as when you’re flying—Microsoft provides a mobile app called Authenticator that can generate these codes in offline mode.

You can download Authenticator for Windows Phone 7.5/8 from the Windows Phone Store.

Then, you need to configure the Authenticator app to work with your Microsoft account. Again, you will visit the Security info view on the Microsoft account management web site. But this time, click the Set up link under Authenticator app. In the next screen, you’re prompted to pair your phone with your Microsoft account using a bar code tag.

In the Authenticator app on Windows Phone, tap the Add (“+”) app bar button to add your account.

Then, tap the Scan button—it resembles a camera icon—to scan the bar code. The app will quickly scan the bar code and then generate a code that you type into the web page. Then, click the Pair button to complete the process.

Going forward, the app will generate a new code automatically every 30 seconds. If you ever need to use a code to sign-in to your Microsoft account and the phone is offline, you can use this app to get the code.