Want to switch from Gmail to Outlook, but...

[Zyr]

Thanks to Google's shuttering of exchange I'm very open to switching my primary account off of Google and even moving my domain off of Google Apps. Considering I've had my Gmail account since the invites first went out, this is pretty significant for me. I already have an Outlook account and while I prefer many of Gmail's features (multiple inboxes and the new compose window for instance), it's something I'd be willing to give up in favor of proper exchange support and generally being disgusted with Google as of late. I've already moved over my calender and contacts to my Outlook account to start syncing them there and am not particularly tied to Google's ecosystem outside of Gmail/Youtube otherwise.

There's only one giant, security shaped concern that's keeping me from moving over my e-mail - the double whammy of a 16 character password restriction and, as far as I can tell, absolutely no kind of two-factor authentication. My Gmail and all of the accounts under my domain have 20+ character passwords and are behind Google's 2FA.

There is absolutely no way I am putting my financial/important accounts behind just a 16 character password nowadays, no matter how disgusted I am with Google. I've had far too many friends' hotmail/live/and yes, even outlook accounts get taken over by spammers to even consider it with the current system.

So my question is, has there been any indication that Microsoft is going to be bringing some kind of 2FA to Outlook in the near future? I know they're planning to allow longer passwords, which is great, but the 2FA is a deal breaker for me. It's even hard to tell if Office365's answer to Google Apps has it. If all else I could move my domain over there and enjoy the extra Skydrive space, but if it's offered for anything below enterprise Microsoft seems to be hiding it.

I guess I'll have to live without push if I have to hard reset my phone/upgrade until (if?) I can find an alternative. I most definitely am not rewarding Google with $50 a year per user via Google Apps to get push back. :eck:

 

[vedichymn]

I haven't seen that two-factor authentication is on any kind of active to-do list for Microsoft accounts, but they have said generally that they're looking at other ways to secure your account (especially in the light of the Xbox live account hijackings, etc).

As far as I'm aware, Office 365 only supports two-factor authentication in a federated enterprise type scenario, where you maintain a local AD domain that is federated with Office 365 and handle the auth yourself.

 

[jhguth]

If you already are using your Gmail account with EAS it will continue to work for you, so you could always stay until you are more comfortable with security

Also, I don't think existing Apps users are going to have to pay. I went ahead and switched mine over, but my domain is just me and I only have an average users security concers.

 

[eric12341]

I've had my hotmail/outlook account for 12 years and not once had it ever been compromised. Now my Gmail account on the other hand I can't say the same.

 

[Zyr]

If you already are using your Gmail account with EAS it will continue to work for you, so you could always stay until you are more comfortable with security

Also, I don't think existing Apps users are going to have to pay. I went ahead and switched mine over, but my domain is just me and I only have an average users security concers.

Unfortunately existing free Google Apps users are losing exchange as well for future devices. New phone/a hard reset and push will vanish just like the normal gmail accounts. It's quite a bummer. $300/yr to keep push and full syncing for future devices across my domain is pretty cringe inducing.

I've had my hotmail/outlook account for 12 years and not once had it ever been compromised. Now my Gmail account on the other hand I can't say the same.

I'm glad you're happy with Hotmail/Outlook. Considering the sheer amount of password leaks/compiled data floating around and how a single GPU can try 8.2 billion password combinations per second, if you feel comfortable putting all of your important accounts behind a 16 character password with no 2FA, that's your business. Trying to argue that Microsoft's non-enterprise offering is more secure than Google's based off of anecdotal experience isn't going to work though, and it's definitely not helpful to someone genuinely interested in Microsoft's services.

Sadly it looks like I'll be sacrificing push and calender/contact syncing for my domain until an alternative presents itself. Hopefully MS sees the opportunity they've been given and can make their free/small business offerings more secure. Thanks for the helpful replies!

 

[csfoley]

Here is my problem.


I have a live account with login of name@gmail.com. Up until this point I have used it for Skydrive, Zune, Xbox. Now I am trying to migrate over to Outlook.com. I would prefer to NOT have to recreate everything and lose zune pass, xbox purchases, 25gb skydrive etc.


on my Lumia 920 it shows my microsoft account as name@gmail.com, with the only option being email for sync. I can't add an outlook.com account because it is the same as the microsoft account login.


I am thinking my best option would be to create a new live account, but I don't know how to move everything over

 

[msdugn]

There's only one giant, security shaped concern that's keeping me from moving over my e-mail - the double whammy of a 16 character password restriction and, as far as I can tell, absolutely no kind of two-factor authentication. My Gmail and all of the accounts under my domain have 20+ character passwords and are behind Google's 2FA.

While you're technically correct that MSFT doesn't have two factor authentication in the exact sense you mean, but they have beefed up security on Microsoft Accounts incredibly. Since Microsoft Account is the single login point for all Microsoft properties - Xbox, Mail, Calendar and so many other things - they've added a lot that, in my opinion, is more useful to me than 2-factor auth.

For example, you can increase the security of your MSFT Account by adding additional pieces of information into your account information. Things many people are loathe to provide, but are of great use when added to your MSFT Account. These are things like your home address, an alternate computer (or two), your home phone number, your cell phone, etc. These not only make it a lot harder for bad guys to grab or access your account, but it blocks outright access to only those who can answer these questions. If your account gets blocked (remember - it gets blocked, not accessed by the bad guys), a quick call to support to answer a few of their questions based on what you added into your account gets you back in minutes, not hours or days.

You need to consider that 2-factor auth is great for the workplace where people are expected to carry a smartcard or use a second factor of authentication. It wouldn't fly for the general consumer. I'm glad to have Microsoft's approach that's sufficiently 'wife friendly' for my non-techie family members via a single login - yet secure enough to trust with my credit cards, financial info and more via the additional layers of security they've built around the login and access model.

I say you should take the plunge to Outlook.com. Use the separate inboxes for different accounts to ease the transition. But it sounds like you're already 90% there.

 

[stmav]

Microsoft response in one of their forums:
As discussed earlier in the thread, we are already using TFA for some major sites. We are learning a lot from this and have more in the works. We see TFA as being an increasingly important piece of our protection suite. At this time I don't have any more details or projected dates, but rest assured that TFA is and will be a part of our ongoing efforts to make your experience as safe and secure as possible.

They do have a way to use a single use code for Outlook log in. But it might not quite be what you are looking for.

What is a single-use code? - Single-Use Code

 

[ag1986]

While you're technically correct that MSFT doesn't have two factor authentication in the exact sense you mean, but they have beefed up security on Microsoft Accounts incredibly. Since Microsoft Account is the single login point for all Microsoft properties - Xbox, Mail, Calendar and so many other things - they've added a lot that, in my opinion, is more useful to me than 2-factor auth.

For example, you can increase the security of your MSFT Account by adding additional pieces of information into your account information. Things many people are loathe to provide, but are of great use when added to your MSFT Account. These are things like your home address, an alternate computer (or two), your home phone number, your cell phone, etc. These not only make it a lot harder for bad guys to grab or access your account, but it blocks outright access to only those who can answer these questions. If your account gets blocked (remember - it gets blocked, not accessed by the bad guys), a quick call to support to answer a few of their questions based on what you added into your account gets you back in minutes, not hours or days.

You need to consider that 2-factor auth is great for the workplace where people are expected to carry a smartcard or use a second factor of authentication. It wouldn't fly for the general consumer. I'm glad to have Microsoft's approach that's sufficiently 'wife friendly' for my non-techie family members via a single login - yet secure enough to trust with my credit cards, financial info and more via the additional layers of security they've built around the login and access model.

I say you should take the plunge to Outlook.com. Use the separate inboxes for different accounts to ease the transition. But it sounds like you're already 90% there.

Nonsense. You clearly haven't heard of Matt Honan (of Gizmodo) getting hacked. Home address, phone number etc. are trivially easy to discover (again, as Honan's story will illustrate. Google's 2FA is clearly superior (as any security engineer will attest) as it required any attacker to obtain both your password and the dongle/phone on which you have your password generator.

Also, it's not necessary to carry around a token; the Android/iOS/BB app will do just fine. Nothing for WP, of course.

 

[ag1986]

\$300/yr to keep push and full syncing for future devices across my domain is pretty cringe inducing.

It's actually $50/user/year actually - if you have six users then yes, 300/year but that's not a significant price for the services provided IMHO.

 

[stmav]

WP PINgrid Token app for 2FA

 

[msdugn]

Nonsense. You clearly haven't heard of Matt Honan (of Gizmodo) getting hacked. Home address, phone number etc. are trivially easy to discover (again, as Honan's story will illustrate. Google's 2FA is clearly superior (as any security engineer will attest) as it required any attacker to obtain both your password and the dongle/phone on which you have your password generator.

It's these types of responses that are disappointing in useful forums and serve little purpose but to demean others. Funny - I know Matt personally and am well aware of his situation. My comments still stand.

 

[ag1986]

It's these types of responses that are disappointing in useful forums and serve little purpose but to demean others. Funny - I know Matt personally and am well aware of his situation. My comments still stand.

I don't see how your comments stand. Per the reports, Honan's situation happened due to Apple and/or Amazon reps, because they assumed the hackers were the account owner because they had precisely the kind of information (address, phone numbers etc. that you say add more security than 2FA. Clearly, your statement is disproved. The same thing would never have happened with an account secured with 2FA.

 

[eric12341]

This thread has run it's course