Two-step verification helps protect you by making it more difficult for someone else to sign in to your Microsoft account. It uses two different forms of identity: your password, and a contact method (also known as security info). Even if someone else finds your password, they'll be stopped if they don't have access to your security info. This is also why it's important to use different passwords for all your accounts.
You set up two-step verification with an email address, phone number, or authenticator app. When you sign in on a new device or from a new location, we'll send you a security code to enter on the sign-in page.
If you turn on two-step verification, you’ll get a security code to your email, phone, or authenticator app every time you sign in on a device that isn't trusted. When it’s turned off, you will only have to verify your identity with security codes periodically, when there might be a risk to your account security.
If you turn on two-step verification, you will always need two forms of identification. This means that if you forget your password, you need two contact methods. Or if you lose your contact method, just your password won't get you back into your account. For that reason, we strongly recommend you keep three pieces of security info on your account, just in case.
Some apps (like the mail apps on some phones) or devices (like the Xbox 360) can't use regular security codes. If you see an “incorrect password” error on an app or device after you turn on two-step verification, but you’re sure your password was correct, that means you'll need an app password for that app or device.