I get so many variations of this question.
The most common scenario is travel. If there’s something “different” about your attempt to sign in — and being in a different country while travelling qualifies — Microsoft now often requires that even if you know your password you also must be able to provide additional security confirmation. That’s typically a code sent to your phone or to an alternate email address.
I cannot stress this enough:
It is critical that you keep your recovery information up to date.
Not doing so is, by far, the fastest way to lose access to your account — forever — should something go wrong. It’s also a way to end up unable to access your account until you return home after traveling.
While many feel that the approach is somewhat ham-handed on Microsoft’s part, the reality is they’re fighting an incredibly difficult problem: account theft.
I’ll review the steps I believe you’ll need to take, and explain why this is happening.
Become a Patron of Ask Leo! and go ad-free!
I know my password, but…
Almost everyone that comes to me with this or a similar problem is convinced that they know their password, and that they’re typing everything in correctly, yet they still cannot log in. Either through an account hack, simply being wrong about being right, or being faced with an additional security step from Microsoft, they’re blocked from logging in.
On top of that, they do not (perhaps temporarily, while traveling) have access to any of the accounts or phone numbers that they’ve set up as alternates on their Microsoft account (any Outlook.com account including Hotmail). Thus when the account login process attempts to send a verification code to one of those accounts or numbers, it can’t be fetched.
The only approach that I’m aware of is to begin the account recovery process.
Account recovery without a password
Note that not all recovery mechanisms may be displayed for all accounts.
At the outlook.com Sign in screen, after entering your email address you’re prompted for your password.
Click on Forgot password? for a list of ways to get a security code to prove your identity.
These are all recovery information that you’ll have previously set up in your account configuration. In my case I have two email addresses, as well as a telephone with which either a text or voice message may be used.
Assuming you don’t have any, or have lost access to those you had previously configured, click on I don’t have any of these. You may then be given the opportunity to enter a previously established recovery code.
Assuming you don’t have one, click on No.
Continue below at Recover your account.
Additional verification, even with a password
As I mentioned, particularly when travelling, Microsoft may require additional verification even after you provide the correct password when signing in. When this happened an additional dialog appears.
Assuming you no longer, or don’t currently, have access to the listed alternate email address(es) or phone numbers, select “I don’t have these any more”, the “Send code” button will change to Verify online, which you then click.
Recover your account
The recovery process now switches to an off-line, and possibly manual account verification process.
You once again provide the email address of the account to which you are attempting to gain access, as well as another email address at which you can be contacted. This other email address can be any account to which you currently have access.
Click Next. You may be sent a code which you’ll enter to verify that you have access to that other email account. You’ll then be presented with a page requesting an assortment of information.
This page asks you to provide as much information as you can about the account, which include:
- Your name and birth date.
- Your location.
- The answer to your security question(s), if you had one or more set up.
- Other passwords that you may have used on this account in the past.
- The subject lines of any emails you may have sent recently.
- The names of any folders you’ve created in your account.
- The email addresses of any contacts to which you’ve recently sent email.
- Billing information, including a credit card, if you have any associated with the account.
The goal here is simple: to be able to provide enough information to prove that you are who you say you are: the rightful account holder.
And again, it’s important that you provide as much information as possible.
Once you’ve done so, click Submit.1
Now you wait.
The information is submitted to Microsoft, and something happens. What that something is we don’t know, but I would presume it’s a combination of mostly automated attempts to verify the information that you’ve submitted against the account. I say “mostly” automated, because I would assume that some may need human verification.
If you’ve given enough information, and that information itself is enough for the system to trust that you are the correct account holder, you’ll be emailed a password reset link.
If not, you’ll get something like this:
The “best option” listed is pretty much your only option at this point: go back to the account information form and provide more information and more accurate information.
Important: if you cannot, I know of no way to proceed and regain access to the account at this time. I cannot help you.
Why all this hassle?
It may be hard to accept, but this is all for your protection. Seriously. This process has probably already prevented your account from being hacked in the past.
You must understand that account hacking and theft is a huge problem. For some reason, Microsoft accounts have been prime targets for hackers for years. Microsoft has responded with these measures to keep the hackers out and the legitimate account owners in.
And from their perspective, it’s better to lock you out than erroneously let a malicious hacker in. I’d have to agree: I’d rather no one be able to access my account if the alternative is the possibility a hacker might.
Avoiding this hassle is simple: you must keep your recovery information up-to-date. Without it you may not be able to prove that you’re the legitimate account owner.
The multi-day delay
Upon regaining access to an account, or sometimes before being able to access an account being recovered, Microsoft will sometimes enforce a delay, often 30 days, before the action can be completed.
As frustrating as this can be, it’s another security measure designed to keep your account safe.
When you make a change to an account — like resetting its password or changing the recovery email or phone — Microsoft sends a notification to the old address. This message also allows the change to be aborted.
If you are not in the process of making the change yourself, this delay gives you 30 days to tell Microsoft “It’s not me, it’s a hacker. Disallow the change”.
If you are in the process of making the change, or even just trying to log in, I agree it can be annoying.
If you can get into your account again, or if you end up setting up a new Hotmail/Outlook.com account, please:
- Make sure you have a recovery email address associated with it. I recommend using a different service — the issues with overseas travel that might cause hassles on your Microsoft account could potentially also cause those same hassles on the recovery account if it’s also a Microsoft account.
- Make sure that recovery account remains current and active. Log into it from time to time to keep it open, even if you use it for nothing else.
- Consider setting up a recovery code.
- Set up a mobile number, or even use a smartphone app if you have one, so as to provide even more recovery options.
- Set up more than one recovery option. You’ll note in my example account I had two different email addresses in addition to a phone number.
And above all, remember to keep that all up to date.
1: I declined to go further since my account doesn’t actually require recovery.