The security features associated with Microsoft accounts – and almost any Hotmail.com or Outlook.com email address is a Microsoft account – have been giving people fits lately.
Because account hacking has become such a massive problem, particularly with Hotmail accounts, Microsoft has tightened security quite a bit. Unfortunately, people are now finding that security codes are getting sent to phones and email addresses they no longer have.
Keeping that security information up to date is critical. I’ll walk you through the steps to update it.
Become a Patron of Ask Leo! and go ad-free!
Your Microsoft account
As I mentioned, from Microsoft’s perspective you don’t really have a “Hotmail” or “Outlook.com” account. What you have is a “Microsoft account” that happens to use a Hotmail, MSN, Live, or Outlook.com email address as the identifier.
So what that means is that we’ll be changing the security information associated with your Microsoft account.
Here’s the easiest way:
Log in to your email account.1 Once in, click on your display name in the upper right corner:
Click on Account settings. Note that this has actually transitioned from Outlook.com to “Microsoft account”. This displays basic information about the account.
Click on Manage advanced security in the lower left.
Because you’re about to make a security-related change, you’ll be asked to verify that you are the rightful account holder. That happens by sending a code to one of your previously configured alternate addresses or phone numbers.
This prevents a hacker who happens to gain access to your password from making security-related changes to your account – a very common activity.
The problem, of course, is what happens if you don’t have any alternate phone numbers or email addresses listed, or those that are listed are no longer valid or in your control.
Then things get difficult.
Account verification without alternates
Select “I don’t have any of these”.
The message changes, letting you know you’re about to embark on a slightly more involved process to maintain account access.
This would be a great time to have a recovery code. Unfortunately, most people in this situation haven’t set one up. It’s something you have to set up before you need it. (Here’s how, by the way, but you’ll have to pass the very same validation process we’re encountering here before you can.)
Assuming you don’t have a recovery code, click No.
You can now add a phone number or an alternate email address as your security information, though it will come with a caveat we’ll encounter shortly. (Note that phones do not need to be capable of text messaging; selecting Call will deliver your code via automated voice.)
Enter the information you choose – email or phone – and click Next.
Enter the code that was sent to your newly selected phone or alternate email, and click Next.
Here’s the caveat: because you were unable to confirm using the pre-existing alternate information and had to set up new information, Microsoft imposes a 30-day delay before you can access anything security related.
Once the 30 days have passed, the new alternate phone number or email address you selected will take full effect, and you can return to these settings to make further security-related changes.
Account verification with alternates
If you still have access to those previously configured alternate phone numbers or email addresses, the process is simpler. When you clicked on Manage advanced security to start this process, you were presented with a list of partially obscured alternate contact information.
If you know and still have access to any of the alternate numbers or email addresses partially displayed (perhaps after waiting 30 days), select the one you know, fill in information that’s been obscured (this verifies that as the legitimate account owner, you actually know what they are), and click Send code.
Now enter the code that is sent to that phone or email address, and click Next.
Finally, we’ve arrived at the page where you can make changes to your settings.
A change means an add and a remove
Changing the mobile number, or any alternate security information, is a two-step process: add the new, and remove the old.
Click on Add security info.
Choose whether you want to add an email address or a phone number, and you’re adding a phone number, whether you want codes sent by text or by voice.
You’ll then be sent a code to confirm you have access to the email address or phone number you’ve just provided. You’ll be asked to enter that, after which the new security information will be added to your account.
Removing security information is just as easy: click on the Remove link associated with the old or invalid address or phone number that you want to remove.
Maintaining your security information
It is critical that you keep your security information up to date. I can’t stress this enough.
In fact, not doing so is perhaps the fastest way to lose your account forever.
If you lose access to the (alternate) email address and phone number that you have associated with the account – either because you forgot your username or password, or simply no longer have the account or phone – then it may be impossible to recover your account should you ever need to. That’s why designating more than one alternate email address and/or phone number may be a good idea.
When it comes to Microsoft accounts, I also strongly recommend setting up an additional recovery code before you need it. As you saw above, it would have allowed us in immediately.
Make sure this information stays correct, and that you always have access to the alternate email address(s) and phone number(s) listed.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,