Normally two-factor authentication involves a phone call/text/email to verify that you are who you say you are when logging in, but do note that in Microsoft's case there are handy Authenticator applications for each platform. Not least Windows Phone here.
The idea is that, when logging in from a new device, browser or application (each is 'trusted' for up to 60 days), you'll be redirected to a web security form and you can then just type in the numeric code given by the Authenticator application on your chosen mobile device. Each code is valid is for 30 seconds and then it refreshes (and the expected code changes at the server to match) so you do have to be relatively quick and distraction-free, but the system does work. And gives tremendous peace of mind, that even if your Microsoft account and password were to be hacked or guessed, there would still be no access to your account without physical possession of your phone too.
As an illustration, here's a brief walkthrough:
The system works well. Windows Phone 8.1 (and onwards) applications hook into the OS's own authentication, but older applications/phones and - of course - third party applications and all apps on other platforms which want access - all need application-specific passwords, which you can set up here. They're a pain to have to input, but it's a one-time thing per app and the peace of mind overall is tremendous.
You can grab the Authenticator app for Windows Phone here.