The announcement regarding optional multi-factor authentication to Microsoft online accounts, including Office 365 and Xbox, is a welcome one. Stolen passwords, whether via phishing, guessing, or accidental disclosure by the vendor, is a major threat against data security.
In summary, the feature allows you to associate your cell phone number with your Microsoft account. Then, periodically, in addition to typing in your password, you’ll be sent a secret code via text message. Typing in the secret code along with your password completes the sign-in process. In theory, the bad guys can’t compromise your account unless they also take control of your cell phone and/or phone number.
There are still threats. Could an insider at the phone company collude to compromise a high-value account? Yes. Could a bad phone app intercept incoming text messages and copy them to a hacker? Potentially. Could a phishing attack trick the user into typing a valid code and password into a fake form? Guaranteed.
Still, I recommend enabling this feature, since it raises the security bar quite a bit higher than what you get from just a static password.