It can happen, but you can prepare.
I originally wrote this article on the last day of a trip taken to the Netherlands to visit relatives. As planned, I played a little with a couple of my Microsoft accounts (aka Hotmail or Outlook.com accounts) to see if I could duplicate what so many people experience: getting locked out of email while travelling abroad.
I didn’t get locked out.
Why I didn’t run into problems is pretty simple: I had prepared. (Though I think something else played a part for at least one of my accounts; more on that in a moment.) But I can see how a lack of preparation can end up with accounts inaccessible until you return home.
Let’s review exactly what I mean by “preparation” and how you can avoid getting locked out of your Microsoft account when you hit the road. I’ll also touch on why Microsoft takes these additional security steps.
Become a Patron of Ask Leo! and go ad-free!
Getting locked out of your Microsoft account
When there are login attempts from a location you normally don’t login from, Microsoft may ask for additional confirmation that you are who you say you are. If you cannot provide the information requested, you’ll be locked out until you return home. As frustrating as this is, it’s an important security measure that helps keep your account safe from hackers.
Why?
The most common question (after “how do I unlock it?”) is “Why does Microsoft do this?!”
The majority of Microsoft accounts — I’d guess well over 80% — are accessed primarily from one, and only one, location. Perhaps more importantly, the vast majority — I’d say well over 95% — are accessed from one and only one country.
For most of us, hackers operate from countries other than the one we’re in.
If the account you typically accessed from within your country suddenly has a log-in attempt from a country on a completely different continent, that’s considered unusual activity. While it might be you logging in, in the vast majority of cases, it’s not. It’s someone trying to hack your account.
When Microsoft sees this kind of unusual activity, they must take additional steps to confirm you are who you say you are and are thus authorized to access your account.
Proving you’re you
The security measures are simply about proving you are not a hacker trying to break in to the account. You know you’re not a hacker, but Microsoft does not. That you’re trying to log in from a foreign country makes it look like you could be.
The way you prove you’re not a hacker is to confirm additional information that you previously associated with your account (i.e., before the trip).
Typically, that means one of the following:
- Proving you own an email account that you previously configured as one of the alternate emails for your account. You prove this by correctly entering the correct alternate email address (proving you know it) and entering a code sent to this email address (proving you have access to it).
- Proving you own a telephone that you previously configured as the telephone number associated with this account. You prove this by entering a code sent to this number either by text message or by voice (call).
Note that this information — the email addresses and/or phone number — are things you set up before you need them. If you didn’t set them up or no longer have access to them, then you’re taken to the account recovery process, which tries to confirm you have the right to access your account via other means. Sadly, those other means are often both time consuming and not guaranteed to work, in which case you’ll be locked out…
…perhaps permanently.
Your password is not enough when locked out
I often hear howls of indignation when this happens. “I know my password! Why isn’t that enough?”
Simple: by logging in from another place, you look like a hacker who knows your password. That happens so often that Microsoft must take additional steps.
To be fair, this isn’t something they dreamed up to annoy you. Account theft is rampant and a huge problem. These steps protect accounts from malicious access every single day.
Here’s a look at recent account activity on one of my test accounts.
The entry for the Netherlands correctly reflects that I was presented with a security challenge in order to log in to the account. The entries for Gibraltar, however, are not me. Someone was attempting to hack into this account. Fortunately, they didn’t have my password, and even if they did, the security challenge that only I can pass would stop them from getting in.
That is why these additional security steps exist.
Be Prepared
I cannot stress this enough: be prepared when travelling.
- Make sure your account’s alternate email addresses are correct and that you have access to those email accounts while you travel.
- Make sure the phone numbers associated with your account are correct and that you can receive either texts or voice calls on those numbers while you travel.
It’s important so I’ll say it again: make sure that one or both will work when you’re travelling.
The number one cause of account loss (often total and permanent account loss) is when individuals list no alternate email or phone number or lose access to the email accounts or phone numbers they once had.
The number two cause of an account being unavailable while traveling? Having things properly configured but finding out that the phone number doesn’t work overseas, or that you can’t get texts while traveling, or that the alternate email address also requires additional security verification from which you’re also blocked.
Be prepared. Plan ahead.
My main account was challenge-free
I had to use one of my example Hotmail accounts to run the tests I did because from the moment I arrived in Holland, my primary Hotmail account just worked. I was never asked to respond to a challenge.
I have a theory about why; I have to stress it’s only a theory.
It’s the Microsoft account I use to log in to my Windows 10 machine — the Windows 10 laptop I was carrying with me.
My guess is the machine acts as an additional layer of security confirmation, a pseudo second factor, if you will. That this machine, which had previously logged in successfully (and fairly constantly) in the United States, was now physically present in the Netherlands might be an indicator to Microsoft’s security algorithm making this look less like a hacker trying to break into my account and more like me travelling.
As I said, it’s just a theory.
VPNs
Virtual Private Networks, or VPNs, can secure your connection within a hotel or other public internet access as well as making it look like you’re in another country. For example, I could make it “look like” I was connecting from within the U.S. while here in Holland.
My attempts to use a VPN failed. I believe this is because the free internet option provided by my hotel blocks VPN communications.1 Had I been willing to pay more per day, I could have given it a shot. I have successfully used a VPN elsewhere, though not in a situation to sidestep additional security challenges.
What I hear from individuals who attempt to use VPNs is mixed. Sometimes they sidestep the security issues; sometimes they do not. All I can recommend here is that if you’re of a mind, or in a bind, try one.
Do this
I’ll say it again: if you’re about to travel, particularly to another country, take the time before you go to prepare. That means making sure that you have alternate email addresses and/or phone numbers configured for the accounts you expect to rely on, and you can access them while on the road.
Want some reading material while you’re out and about? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: The VPN was able to connect while I was in flight somewhere over Greenland on the return trip.
My first free email account was with Yahoo. My reasoning was that I didn’t want to be locked into an ISP because of email. I have all of my accounts connected to at least 3 recovery accounts in case something goes wrong. I don’t even know the email address associated with my ISP because I’ve never used it.
I was traveling in China last year and experienced the Microsoft Challenge. My backup email account is on Gmail, which is blocked by the Great Firewall of China. Fortunately, I bought a 30 day China upgrade on my AT&T iPhone, which meant my cell phone was with me and on the network. One interesting note on the iPhone was my Gmail was accessible. My iPad could not access anything Google when connecting with WiFi nor could any hotel computers or local computers. The cell phone allowed me to answer the challenge and successfully log into my Microsoft account.
I’ve actually run into a technical problem with TunnelBear … repeated firewall requests when it’s installed on my Windows 10 machine, so I had to uninstall it there. (The request were benign, and not an indication of a problem, per se, but they were quite annoying. An implementation issue with TB’s networking hooks, as I understand it.)
Your theory about your Microsoft account on your usual Windows 10 machine I think is valid. We were up at our trailer this summer and I tried to access something with either my Yahoo or Google account, and they wouldn’t let me log in because it didn’t recognize me as having used this computer (I think I might have recently cleaned my cookies). They actually told me that was why and since I couldn’t correctly type the password (or answer a security question … I can’t remember which it was), it blocked me. Once I got back home, no problem.
Before I left the UK to visit Lithuania I visited my Microsoft account and set the laptop and tablet I travelled with as “trusted devices”, and had no problems. In case of accidents, I also had access to my Microsoft recovery code and ensured mobile phone number and alternate email were up to date and would work there, but did not need them. I think the “trusted devices” setup was the key to success.
Leo, thank you for your good work! However I disagree with the article’s apologetics on behalf of Microsoft. Microsoft has far exceeded my threshold of abuse and NEGLIGENCE to its users. This is the beginning of a rapid end to a 20 year relationship with Microsoft, where I will find alternative resources for my needs wherever possible, and recommend the same to All that I know. Their inconceivable arrogance and negligence is way way way over the top in locking me out ***MY*** hotmail/Live email accounts.
Really? A frequent international traveler. Now I traveled from home in Japan to family in the USA, and Microsoft suddenly locks me out. ***NOTE*** None of my banks locked me out from online banking, nor did yahoo.mail or gmail. Somehow, a simple flight in the year ***2016*** is this huge premise for security lockdown from my own account… to extract even more personal information from me, and then still nothing. While I’m visiting the U.S. for treatment for Heart Failure, I’m cut off from correspondence with my hospitals in Japan and the U.S., my health insurance, medical payment sites, emails from my banks, friends, place of employment, my OneDrive documents including phonelists and password lists, etc…
No Leo. Microsoft is royally damaging 10’s of thousands of users; as any search on this topic will show. Microsoft could ***at the very least*** have a link at the top of their hotmail/Live mail page that asks: “Traveling soon? Don’t get locked out of your account” that links directly to askleo.com and your solutions. Right?
I don’t see that Leo is defending Microsoft. He has often criticized their policies. This isn’t a recommendation to use outlook.com. What he’s doing is to help people who got stuck with a lemon make lemonade out of it.
I’m sure that Microsoft has a policy against officially supporting any third party solutions site over which they have zero control (i.e. Ask Leo! :-) ).
However you’ll get no disagreement from me: Microsoft could absolutely be handling this better, and they don’t need to be linking elsewhere to do it. My “apologetics”, as you call it, are simply to explain why they’ve taken the steps that they’ve taken.
While this article is about Microsoft / Hotmail, I’m a regular contributor to the Gmail Help Forum and this is a very real problem we see daily with users of Gmail accounts as well. However, just like Leo, I’ve traveled to places very far away from home and didn’t get locked out. Maybe because I always take my familiar Work laptop with me. Maybe because I always take my phone with me and can receive codes by text if necessary. My wife travels with me and uses my laptop to access her account without getting locked out either.
Unlike Leo, my Work laptop is not configured to log in with personal Microsoft credentials, although it is on Windows 10. Actually I think the last time I traveled was before it even got upgraded from Windows 7, so the Microsoft account sign in would not have been an option anyway.
My “real” account is Gmail for communications, some subscriptions I put through Yahoo, and I have a Hotmail just for testing. They all have Security Challenge procedures. Yahoo challenged me a few weeks ago right at home, saying something didn’t look right with recent activity. I got distracted before answering the challenge, and left it open. When I came back a few hours later I logged right in as though nothing had ever happened.
I fully endorse the paragraph above sub-titled “Be Prepared”.
I couldn’t agree more. I DID prepare, and I am STILL locked out of the account where I pay my bills. Also, I have plans to meet friends and search for jobs and now I can’t reach these people. It has literally ruined my travels at times. Yes, my phone works here in Taiwan, but they did not send the security code. I tried sending to another email, but that was locked too. I answered all their questions correctly, including emails and subject lines from recently sent emails. I did not make any errors. STILL LOCKED OUT. FU Microsoft. I’m trying to get a job here.
Before leaving, I also prepared by calling banks and credit cards to let them know my travel dates and locations. They asked a lot of information to verify that I am me. This is something I’ve done for 20 years. But, Microsoft does not offer this.
Which steps did you take to prepare? It might help to prevent others from being locked out. One way to prevent this is to use a different email service provider such as Gmail, although it’s still necessary to follow the preventative steps outline in this article.
One reason the VPN might not be working is that websites eventually get wise to the VPNs which are accessing them. For example, Netflix eventually blocks some VPNs once they learn of their existence. Since MS realizes that they are being accessed via a VPN, they probably block that VPN as a hacker might be using a VPN to look like they are in the US.
A few years back, when I went to South America, I was asked to confirm my identity by GMail. All they asked for was my full phone number. Once I entered it, they allowed access. This to me sounds like enough proof that I’m me, like a second password, as the odds of a hacker from another country would never guess my password and phone number.
We have just returned from a month’s stay in England and Wales. I hadn’t thought ahead to learn how to set up text verification on my phone with a UK sim card installed. How should I have handled this? Not all sites offer the alternative of verification via email. Thanks again for your great contribution to my sanity.
Having a recovery email address (or more) should allow you to have access to your Hotmail account when you travel. You don’t have to use that email address for anything else but you do have to check it regularly (monthly is good) so that it isn’t closed down for lack of use. You also have to be sure that that account doesn’t require a second factor when you travel overseas. I use gmx.com for that. You can test the recovery account by using a VPN which makes it appear you are in a different country. Set the virtual location to the one(s) you’ll be visiting.
The Opera browser offers VPN browsing. It isn’t a true VPN but it’s sufficient for this test.
Regarding VPN workaround – I actually find it quite effective. I use PIA and their app has 2 usefull features – killswitch and location selector. Killswitch makes sure your mail clien won’t get through before VPN is activated ever time you connect to Wi-Fi in another country. Location selector allows you to select location that looks OK for your provider – Microsoft, Google etc. The best thing is that you can test it before you leave your country and make sure it works while you still have access to your phone and local internet in case something goes wrong.
The only problem with VPN is remembering to turn it on. Las time I was in Mexico I forgot and got locked out of hotmail. Furtunately I realized what happened and turned it on before opening my gmail app so was able to recover my hotmail access using gmail.
One more potentially useful feature Microsoft offers is Recovery Key, you can get one in your account’s security settings and use to get your access back. They recommend printing it out and keep with you. I did not test it so not 100% sure it will work for this scenario, may be it works only for “forgot my password”.
Another potentially useful thing is Microsoft Authenticator but as far as I understood it only works with 2-factor authentication, no mentioning of recovery options.
I think that microsoft just wants to have my tel number…they block your account and even if you answer all the questions in the right way, they do not unblock it….if you dont give your tel number. Thats why I will do my best to change to google…at least they dont have these stupid complications. The funny thing is that I have all the mails downloaded in outlook and I know I am answering all the questions….like “write the exact line of the subject of the last mails you sent”. This is unbelievable….another question is “where you opened your account”, you have to remember the town and the postal code! You have to remember your skype contacts and the email of your contacts…… Only if you have outlook you can copy this info….but even like this the account stays blocked….
it is a joke…really!!!
I am a frequent traveler to Thailand. Sometimes Microsoft blocks my hotmail access, sometimes it doesn’t. Like other people here, I take great care to advise financial institutions of my travel plans and they enable access accordingly. All of this difficulty and confusion could easily be eliminated if Microsoft would allow the user to contact them in advance of travel to advise of travel plans so there will be no concerns regarding login from a different local. Unfortunately, Microsoft does not offer this. Why? The implications of not having access to email are substantial as I need to pay bills since my travel times often exceed several weeks. Why not reward responsible users?
You can create recovery email addresses with services that don’t block you when you travel. I have 4 recovery email address for that purpose.
How Not To Get Locked Out of Your Microsoft Account While Travelling
Additionally, with Microsoft email accounts, you cann get a recovery code in advance which you can use to unblock or recover your account.
Recover Your Microsoft Account Later by Setting Up a Recovery Code NOW
Why they don’t offer such a service is that it’s yet more cost and complexity that they have to store, track and manage … securely. For a free service, no less.
I set up devices as ‘trusted’ and emailed customer service to let them know I was going overseas – gave them dates, locations etc. I was still locked out. I have tried many times to get them to resolve the issue now I am back at home and on my pc – no joy.
I get locked out even traveling in the US. I need to just give up on Hotmail. When I change the contact information—it insists on keeping a dead email as the backup email—it still locks me out for at least a month. Seriously?? And zero way to get around it safely?
I’ve had similar experiences with other services. I only had to verify the second factor once on that device and never again. I wouldn’t call it “a pseudo second factor”. Possession of a verified device is a true second factor. Two factor equals what you know plus what you have.
I called this a pseudo second factor because I wasn’t using it as a true second factor (for login-time confirmation). My theory is that if you sign into a machine in (say) the US, say “remember me”, and then take it elsewhere, like The Netherlands, it remains logged in and the additional security from coming from a different location doesn’t kick in.
Put another way, the additional security only(?) comes in to play at login time.
The quickest rejection of Microsoft ..Had a new account tried the password , ok maybe I forgot it was a capital whatever. Tried a second time and locked out, accused of a “VIOLATION!” which I find offensive !!! No I don’t want to give my phone number just allow me another attempt to get the capital in properly , is that the scam ?
Never used . I actually had tried to go back to Microsoft because I really do prefer the format and look , but Google servers are kinder and more polite , despite probably taking my data with a smile , I prefer that to rudeness !!
Just this last week either an update/issue in Microsoft, Thunderbird or Chrome has caused chaos in my accounts with various machines not recognising passwords and sign-ins for the 5 Hotmail accounts I have on 3 separate machines.
Have had a tortuous time logging into each separately and resetting passwords then trying to get them recognised within Thunderbird (v 102.0.2) on each machine.
Very irritating. Good job I am retired or a lot of productive work time would have been lost!
I am using Thunderbird too, and I have 1 Microsoft, 1 Hotmail, and 2 Gmail accounts, and now I need to log into each of them every time I close Thunderbird and try to re-open it. I do keep getting error messages too, about trouble logging in, even when I have not done anything but used another App.
This sounds like a problem that I have been dealing with recently and I figured that it is related to security upgrades that Microsoft has made. I use one web-based email provider to “pick up” emails from my Microsoft-based email address through Microsoft’s POP server. Microsoft seems to consider that to be a security concern (e.g. different IP addresses being used to download messages) and Microsoft sends me “Microsoft account unusual sign-in activity” messages.