Here's an extract from the Microsoft blog post:
Over the next couple days we will roll out a major upgrade to Microsoft account, including optional two-step verification to help keep your account more secure. You should see this option show up in your account in the next few days. You can enable this capability at https://account.live.com/proofs/Manage.
Microsoft explain that two-step verification is optional and that a smartphone app can be used to generate two-step verification codes (otherwise they are sent out via text message):
With this release you can choose to protect your entire account with two-step verification, regardless of what service (or device) you are using with your Microsoft account. It’s your choice whether you want to enable this, but for those of you that are looking for ways to add additional security to your account, we’ve worked hard to make set-up really easy.
We’ll verify that you have at least two pieces of security information on file (it’s always good to have a second in case you lose the first). If you have a smartphone, we’ll help you set up an authenticator app, which allows you to receive two-step verification codes even while offline (very useful on vacation and to avoid messaging fees). The next time you sign on, you’ll be prompted for a code.
As we mentioned previously Microsoft has already published an Authenticator app for Windows Phone:
The security code can be generated by Microsoft's Authenticator app for Windows Phone, but it is based on an industry standard, so it is also possible to use a third party authentication app, of which there are several in the Windows Phone Store. The same standard is used by Google, Dropbox, and a number of other companies in their own two-factor authentication systems.
Microsoft is allowing you to opt to skip two-step verification one devices you use regularly (any device, any browser), although you will be prompted for a two-step verification code if you do not use a device for 60 days. This represent an improvement on Microsoft's previous "trusted devices" implementation:
On devices you use regularly, you can select an option to not ask for security codes. This makes two-step verification painless — you use a code sent to a phone or email only once (per Web browser per device) and we remember that device in the future. If you don’t use the device for 60 days, we’ll prompt you for a code again for your security.
Previously we had a notion of trusted devices that was similar but only worked for IE and required you to manage a list if you had too many devices. With this release we’ve simplified things — you can skip codes on all modern browsers across major platforms, and you never have to manage the list. If you ever lose or sell a device, you can still choose to revoke these “trusted devices” by going to your security settings on https://account.live.com.
More details are available at The Official Microsoft Blog.