I’m writing this on the last day of a trip taken to the Netherlands to visit relatives. As planned, I decided to play a little with a couple of my Microsoft accounts (aka Hotmail or Outlook.com accounts) to see if I could duplicate what so many people seem to experience: getting locked out while travelling abroad.
I didn’t get locked out.
Why I didn’t run into problems is pretty simple: I was prepared. (Though I also think something else played a part for at least one of my accounts; more on that in a moment.) But I can see how a lack of preparation can end up with accounts inaccessible until you return home.
Let’s review exactly what I mean by “preparation”, and how you can avoid getting locked out of your Microsoft account when you hit the road. I’ll also touch on why Microsoft takes these additional security steps.
Become a Patron of Ask Leo! and go ad-free!
The most common question (after “how do I unlock it?”) is “Why does Microsoft do this?!”
That’s actually very easy to explain.
The majority – I’d guess well over 80% – of Microsoft accounts are accessed from one, and only one, location. Perhaps more importantly, the vast majority – I’d say well over 95% – are accessed from one and only one country.
Most hackers operate from other countries. If your account, typically accessed from within one country, suddenly has a log-in attempt from a country on a completely different continent, that’s considered “unusual activity”. While it might be you doing the logging in, in the vast majority of cases, it’s not; it’s someone trying to hack your account.
When Microsoft sees this kind of unusual activity, they simply must take additional steps to confirm you are who you say you are, and that you are authorized to access your account.
The security measures are simply about proving you are not a hacker trying to break in to the account. You know you’re not a hacker, but Microsoft does not. The fact that you’re trying to log in from a foreign country actually makes it look like you could be.
The way you prove you’re not a hacker is to confirm additional information that you previously associated with your account.
Typically, that means one of the following:
- Proving you own an email account that you previously configured as one of the alternate emails for your account. You prove this by correctly entering the correct alternate email address (proving you know it), and entering a code sent to this email address (proving you have access to it).
- Proving you own a telephone that you previously configured as the telephone number associated with this account. You prove this by entering a code sent to this number either by text message, or by voice (call).
Note that this information – the email addresses and/or phone number – are things you set up before you need them. If you didn’t set them up, or no longer have access to them, then you’re taken to the account recovery process, which tries to confirm you have the right to access your account via other means. Sadly, those other means are often both time consuming, and not guaranteed to work, in which case you’ll be locked out …
… perhaps permanently.
Your password is not enough when locked out
I often hear howls of indignation when people get locked out of their accounts. “I know my password! Why isn’t that enough?”
Simple: by logging in from another place, you look like a hacker who happens to know your password. That happens so often that Microsoft must take additional steps.
To be fair, this isn’t something they dreamed up to annoy you. Account theft is rampant, and a huge problem. These steps really do protect accounts from malicious access every single day.
Just have a look at the recent account activity on one of my test accounts.
The entry for the Netherlands is correct, and correctly reflects that I was presented with a security challenge in order to log in to the account. This is where I am today.
The entries for Gibraltar, however, are not me. Someone, for some reason, was attempting to hack into this account. Fortunately, they don’t have my password, and even if they did, the security challenge that only I can pass would stop them from actually getting in.
That is why these additional security steps exist.
I cannot stress this enough: be prepared when travelling.
- Make sure your account’s alternate email addresses are correct, and that you have access to those email accounts.
- Make sure the phone numbers associated with your account are correct, and that you can receive either texts or voice calls on those numbers.
Most importantly: make sure that one or both of those will still work when you’re travelling.
The number one cause of account loss (often total and permanent account loss) is when individuals have no alternate email or phone number, or have lost access to the email accounts or phone numbers they once had.
The number two cause of an account being unavailable while traveling? Having things properly configured, but finding out that the phone number doesn’t work overseas, or that you can’t get texts while traveling, or that the alternate email address also requires additional security verification from which you’re also blocked.
Be prepared. Plan ahead.
Challenge-free on my main account
I had to use one of my example Hotmail accounts to run the tests I did, because from the moment I arrived in Holland, my primary Hotmail account just worked. I was never asked to respond to a challenge.
I have a theory on why. I have to stress it’s only a theory.
It’s the account I use to log in to my Windows 10 machine – the Windows 10 laptop I was carrying with me.
My guess is that that machine acts as an additional layer of security confirmation, a pseudo second factor, if you will. The fact that this machine, which had previously logged in successfully (and fairly constantly) in the United States, was now physically present in the Netherlands may have been used as indicator to Microsoft’s security algorithm that made this look less like a hacker trying to break into my account, and more like me travelling.
As I said, it’s just a theory.
Virtual Private Networks, or VPNs, can be used to secure your connection within a hotel or other public internet access, as well as making it look like you’re located in another country. For example, I could make it “look like” I was connecting from within the U.S. while here in Holland.
My attempts to use a VPN failed. I believe this is because the free internet option provided by my hotel blocks VPN communications.1 Had I been willing to pay more per day, I probably could have given it a shot. I have successfully used a VPN elsewhere, though not in a situation to sidestep additional security challenges.
What I hear from individuals who attempt to use VPNs is mixed. Sometimes they sidestep the security issues; sometimes they do not. All I can recommend here is that if you’re of a mind, or in a bind, give one a try. My current favorite is TunnelBear, which includes a free tier that should allow you to determine if it’s going to work for you.