I get so many variations of this question.
The most common scenario is travel. If there’s something “different” about your attempt to sign in — and being in a different country qualifies — Microsoft now often requires that even if you know your password, you must provide additional security confirmation. Usually, that’s a code sent to your phone or alternate email address.
I cannot stress this enough:
It is critical that you keep your recovery information up to date.
Not doing so is by far the fastest way to lose access to your account — forever — should something go wrong. It’s also a way to end up unable to access your email while traveling.
While many feel that the approach is somewhat ham-handed on Microsoft’s part, the reality is they’re fighting an incredibly difficult problem: account theft.
I’ll review the steps I believe you need to take, and explain why this is happening.
Become a Patron of Ask Leo! and go ad-free!
I know my password, but…
Almost everyone who comes to me with this or a similar problem is convinced that they know their password, and that they’re typing everything in correctly, yet they still cannot log in. Either through an account hack, simply being wrong about being right, or being faced with that additional security step from Microsoft, they’re blocked from logging in.
On top of that, they do not (perhaps temporarily, while traveling) have access to any of the accounts or phone numbers they set up as alternates on their Microsoft account (any Outlook.com account, including Hotmail). Thus, when the login process attempts to send a verification code to one of those accounts or numbers, it can’t be fetched.
At that point, the only approach I’m aware of is to begin the account recovery process.
Account recovery without a password
Note that not all recovery mechanisms may be available in for all accounts. Not only do things change, but exactly which will be available may depend on your account settings, and perhaps even where you’re located.
After entering your email address at the outlook.com sign-in screen, you’re prompted for your password.
Click on Forgot password? for a list of ways to get a security code to prove your identity.
This is recovery information that you previously set up in your account configuration. In my case, I have two email addresses, as well as a telephone number with text and voice message options.
Assuming you didn’t set up recovery information, or lost access to those you previously configured, click on I don’t have any of these. You may then be given the opportunity to enter a previously established recovery code.
Assuming you don’t have one, click on No.
Continue below at Recover your account.
Additional verification, even with a password
As I mentioned, particularly when travelling, Microsoft may require additional verification even after you provide the correct password when signing in. When this happens, an additional dialog appears.
Assuming you no longer or don’t currently have access to the listed alternate email address(es) or phone numbers, select “I don’t have these any more”. The “Send code” button will change to Verify online; click that.
Recover your account
The recovery process now switches to a possibly manual account-verification process.
You once again provide the email address of the account to which you are attempting to gain access, as well as another email address at which you can be contacted. This second email address can be any account to which you currently have access.
Click Next. You may be sent a code to the second email account, which you’ll enter to verify you have access to it. You’ll then be presented with a page requesting an assortment of information.
This page asks you to provide as much information as you can about the account, including:
- Your name and birth date.
- Your location.
- The answer to your security question(s), if you had one or more set up.
- Other passwords you may have used on this account in the past.
- The subject lines of any emails you may have sent recently.
- The names of any folders you’ve created in your account.
- The email addresses of any contacts to which you’ve recently sent email.
- Billing information, including a credit card, if you have any associated with the account.
The goal here is to provide enough information to prove you are who you say you are: the rightful account holder.
And again, it’s important to provide as much information as possible.
Once you’ve done so, click Submit.1
Now you wait.
The information is submitted to Microsoft, and something happens. What that something is we don’t know, but I would presume it’s a combination of mostly automated attempts to verify the information that you’ve submitted against the account. I say “mostly” automated, because I would assume that some need human verification.
If you’ve given enough information, and that information itself is enough for the system to trust that you are the correct account holder, you’ll be emailed a password reset link.
If not, you’ll get something like this:
The “best option” listed is pretty much your only option at this point: go back to the account information form and provide additional and more accurate information.
Important: if you cannot do this, I know of no way to proceed and regain access to the account at this time. I cannot help you.
Why all this hassle?
It may be hard to accept, but all of this is for your protection. Seriously. This process has probably already prevented your account from being hacked in the past.
Account hacking and theft is a huge problem. For some reason, Microsoft accounts have been prime targets for hackers for years. Microsoft has responded with these measures to keep hackers out and legitimate account owners in.
From their perspective, it’s better to lock you out than erroneously let a malicious hacker in. I’d have to agree: I’d rather no one be able to access my account if the alternative is the possibility a hacker might.
Avoiding this hassle is simple: you must keep your recovery information up to date. Without it, you may not be able to prove that you’re the legitimate account owner.
The multi-day delay
Upon regaining access to an account, or sometimes before being able to access an account being recovered, Microsoft will sometimes enforce a delay of up to 30 days.
As frustrating as this can be, it’s another security measure designed to keep your account safe.
When you make a change to an account — like resetting its password or changing the recovery email or phone — Microsoft sends a notification to the old address. This message also allows the change to be aborted.
If you are not in the process of making the change yourself, this delay gives you 30 days to tell Microsoft “It’s not me, it’s a hacker. Disallow the change.”
If you are in the process of making the change, or even just trying to log in, I agree it can be annoying.
If you can get into your account again, or if you end up setting up a new Hotmail/Outlook.com account, please:
- Make sure you have a recovery email address associated with it. I recommend using a different service — the issues with overseas travel that might cause hassles on your Microsoft account could also cause those same hassles on the recovery account if it’s also a Microsoft account.
- Make sure your recovery account remains current and active. Log into it from time to time to keep it open, even if you use it for nothing else.
- Consider setting up a recovery code.
- Set up a mobile number, or even use a smartphone app if you have one, so as to provide even more recovery options.
- Set up more than one recovery option. You’ll note in my example account I had two different email addresses in addition to a phone number.
And above all, remember to keep all that up to date.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,
Footnotes & References
1: I declined to go further, since my account didn’t actually require recovery.