I’ve received many variations of this question in recent weeks. In particular it appears that when you’re traveling to different countries, Microsoft is now often requiring that even when you know your password you also must be able to provide a code that is sent to your phone or an alternate email address associated with the account.
I cannot stress this enough: it is critical that you keep your recovery information up to date. Not doing so is, by far, the fastest way to lose access to your account forever should something go wrong. It’s also a way to end up unable to access your account until you return home after traveling.
While many feel that the approach is somewhat ham-handed on Microsoft’s part, the reality is they’re fighting an incredibly difficult problem: account theft.
I’ll review the steps I believe you’ll need to take, and explain why this is happening.
Become a Patron of Ask Leo! and go ad-free!
I know my password, but…
Almost everyone that comes to me with this or a similar problem is convinced that they know their password, and that they’re typing everything in correctly, yet they still cannot log in. Either through an account hack, simply being wrong about being right, or being faced with an additional security step from Microsoft, they’re blocked from logging in.
On top of that, they do not (perhaps temporarily, while traveling) have access to any of the accounts or phone numbers that they’ve set up as alternates on their Microsoft / Hotmail / Outlook.com account. Thus when the account login process attempts to send a verification code to one of those accounts or numbers, it can’t be fetched.
The only approach that I’m aware of is to begin the account recovery process.
At the outlook.com login screen:
Click on Can’t access your account?
The process begins by asking what kind of problem you’re having. In most all cases “I know my password, but can’t sign in” is the proper choice – unless of course you don’t know your password, or you have reason to believe your account has been hacked.
When you make that selection, the page makes a suggestion:
Don’t be annoyed by this. As I’ve written about before, you would be amazed at the number of times people mistype their own email address or password. I’m fairly convinced that this one suggestion on Microsoft’s part solves the situation for as many as one third of the folks who find themselves here.
Assuming you’ve double checked your entries appropriately click Next.
At this point we need to know what account you want to get back into. A CAPTCHA (type the text you see) is also presented to prevent this process from being used by automated tools to hack into accounts.
Enter both, and click Next.
This page is typically the root of the problem for many people. Even though you can set up multiple ways to get a recovery code – email, text message or automated voice, if you no longer have access to those email accounts or that phone number this step will simply not work. (I’ll say it again, it’s critical to always keep these up to date.)
In your case, the only solution is to choose I don’t use these anymore.
In many cases you can set up a recovery code for your account before you need it. This code, which you would keep in a secure location, acts as yet another form of verification that you are the account owner. If you have such a code you’d enter it here.
Assuming you don’t, click No.
The recovery process now switches to an off-line, and possibly manual account verification process.
You once again provide the email address of the account to which you are attempting to gain access, as well as another email address at which you can be contacted. That other email address can be any account to which you currently have access.
This page asks you to provide as much information as you can about the account, including:
- Your name and birth date.
- Your location.
- The answer to your security question(s), if you had one or more set up.
- Other passwords that you may have used on this account in the past.
- The subject lines of any emails you may have sent recently.
- The names of any folders you’ve created in your account.
- The email addresses of any contacts to which you’ve recently sent email.
- Billing information, including a credit card, if you have any associated with the account.
The goal here is simple: to be able to provide enough information to prove that you are who you say you are: the rightful account holder.
And again, it’s important that you provide as much information as possible.
Once you’ve done so, click Submit.
Now you wait. The information is submitted to Microsoft, and something happens. What that something is we don’t know, but I would presume it’s a combination of mostly automated attempts to verify the information that you’ve submitted against the account. I say “mostly” automated, because I would assume that some things may need human verification.
If you’ve given enough information, and that information itself is enough for the system to trust that you are the correct account holder, you’ll be emailed a password reset link.
If not, you’ll get this:
The “best option” listed is pretty much your only option at this point: go back to the account information form and provide more information and more accurate information.
If you cannot, I know of no way to proceed and regain access to the account at this time.
Why all this hassle?
It may be hard to accept, but this is all for your protection. Seriously.
In fact, it’s very possible that this process has already prevented your account from being hacked into in the past.
And please understand that account hacking and theft is a huge problem. For some reason, Hotmail accounts in particular have been prime targets for hackers for years. Microsoft has responded with these measures to keep the hackers out and the legitimate account owners in.
If you don’t keep your recovery information up-to-date you may not be able to prove that you’re the legitimate account owner.
It’s as simple as that.
The multi-day delay
Upon regaining access to an account, or sometimes before being able to access an account being recovered, Microsoft will sometimes include a delay, often 30 days, before the action can be completed.
As frustrating as this can be, it’s another security measure designed to keep your account safe.
When you make a change to an account – like resetting its password or changing the recovery email or phone – Microsoft sends a notification to the old address. This message also allows the change to be aborted.
If you are not in the process of making the change yourself, this delay gives you 30 days to tell Microsoft “It’s not me, it’s a hacker. Disallow the change”.
If you are in the process of making the change, or even just trying to log in, I agree it can be annoying.
If you can get into your account again, or if you end up setting up a new Hotmail/Outlook.com account, please:
- Make sure you have a recovery email address associated with it. I recommend using a different service – the issues with overseas travel that might cause hassles on your Microsoft account could potentially also cause those same hassles on the recovery account if it’s also a Microsoft account.
- Make sure that recovery account remains current and active. Log into it from time to time to keep it open, even if you use it for nothing else.
- Consider setting up a recovery code.
- Set up a mobile number, or even use a smartphone app if you have one, so as to provide even more recovery options.
- Set up more than one recovery option. You’ll note in my example account I had two different phone numbers, and two different email addresses.
And above all, remember to keep that all up to date.