I'm very happy to hear that two-step (also call two-factor) authentication is coming to Microsoft, supposedly in the near future. Yahoo! and Google have had it for a while now, and I'm a big fan. Getting spam from a friend's hacked account is a common attack vector and anything that a platform and its users can do to better lock down accounts to prevent unauthorized access means less spam for you and me.
On a related note, my iPhone broke recently. I backed it up, then brought it in to an Apple store near my office, where it was cheerfully replaced with a new phone under warranty. I'm all set, I thought. I've got everything backed up. Except -- the backup did not include my account settings for Google Authenticator, the two factor authentication token provider app for iOS. Oops. And I had changed a cell phone number somewhere around 12-18 months ago, and thus, some of my accounts didn't have a working backup phone number associated with them. I was able to work it all out, but it took some fiddling, and I did end up locking myself out of one lesser used account. Don't be like me -- make sure you go in and check your two-factor settings and make sure everything there is still correct. (And for lesser used accounts, consider using SMS rather than an authenticator app. If you're like me and likely to keep the same phone number for the foreseeable future, you'll be able to receive that text message on whatever new phone you might purchase down the road.)
And finally, a clever hack: My friend Mickey Chandler pointed out to me that you can sync Google Authenticator in a way that allows more than one device to be the token provider for a given account. Is this less secure? I'm not sure, but I love the idea of perhaps having my wife's phone be configured to provide codes for my accounts in a pinch, and vice versa.