It can happen, but you can prepare.
I originally wrote this article on the last day of a trip taken to the Netherlands to visit relatives. As planned, I played a little with a couple of my Microsoft accounts (aka Hotmail or Outlook.com accounts) to see if I could duplicate what so many people experience: getting locked out of email while travelling abroad.
I didn’t get locked out.
Why I didn’t run into problems is pretty simple: I had prepared. (Though I think something else played a part for at least one of my accounts; more on that in a moment.) But I can see how a lack of preparation can end up with accounts inaccessible until you return home.
Let’s review exactly what I mean by “preparation” and how you can avoid getting locked out of your Microsoft account when you hit the road. I’ll also touch on why Microsoft takes these additional security steps.
Become a Patron of Ask Leo! and go ad-free!
Getting locked out of your Microsoft account
When there are login attempts from a location you normally don’t login from, Microsoft may ask for additional confirmation that you are who you say you are. If you cannot provide the information requested, you’ll be locked out until you return home. As frustrating as this is, it’s an important security measure that helps keep your account safe from hackers.
The most common question (after “how do I unlock it?”) is “Why does Microsoft do this?!”
The majority of Microsoft accounts — I’d guess well over 80% — are accessed primarily from one, and only one, location. Perhaps more importantly, the vast majority — I’d say well over 95% — are accessed from one and only one country.
For most of us, hackers operate from countries other than the one we’re in.
If the account you typically accessed from within your country suddenly has a log-in attempt from a country on a completely different continent, that’s considered unusual activity. While it might be you logging in, in the vast majority of cases, it’s not. It’s someone trying to hack your account.
When Microsoft sees this kind of unusual activity, they must take additional steps to confirm you are who you say you are and are thus authorized to access your account.
Proving you’re you
The security measures are simply about proving you are not a hacker trying to break in to the account. You know you’re not a hacker, but Microsoft does not. That you’re trying to log in from a foreign country makes it look like you could be.
The way you prove you’re not a hacker is to confirm additional information that you previously associated with your account (i.e., before the trip).
Typically, that means one of the following:
- Proving you own an email account that you previously configured as one of the alternate emails for your account. You prove this by correctly entering the correct alternate email address (proving you know it) and entering a code sent to this email address (proving you have access to it).
- Proving you own a telephone that you previously configured as the telephone number associated with this account. You prove this by entering a code sent to this number either by text message or by voice (call).
Note that this information — the email addresses and/or phone number — are things you set up before you need them. If you didn’t set them up or no longer have access to them, then you’re taken to the account recovery process, which tries to confirm you have the right to access your account via other means. Sadly, those other means are often both time consuming and not guaranteed to work, in which case you’ll be locked out…
Your password is not enough when locked out
I often hear howls of indignation when this happens. “I know my password! Why isn’t that enough?”
Simple: by logging in from another place, you look like a hacker who knows your password. That happens so often that Microsoft must take additional steps.
To be fair, this isn’t something they dreamed up to annoy you. Account theft is rampant and a huge problem. These steps protect accounts from malicious access every single day.
Here’s a look at recent account activity on one of my test accounts.
The entry for the Netherlands correctly reflects that I was presented with a security challenge in order to log in to the account. The entries for Gibraltar, however, are not me. Someone was attempting to hack into this account. Fortunately, they didn’t have my password, and even if they did, the security challenge that only I can pass would stop them from getting in.
That is why these additional security steps exist.
I cannot stress this enough: be prepared when travelling.
- Make sure your account’s alternate email addresses are correct and that you have access to those email accounts while you travel.
- Make sure the phone numbers associated with your account are correct and that you can receive either texts or voice calls on those numbers while you travel.
It’s important so I’ll say it again: make sure that one or both will work when you’re travelling.
The number one cause of account loss (often total and permanent account loss) is when individuals list no alternate email or phone number or lose access to the email accounts or phone numbers they once had.
The number two cause of an account being unavailable while traveling? Having things properly configured but finding out that the phone number doesn’t work overseas, or that you can’t get texts while traveling, or that the alternate email address also requires additional security verification from which you’re also blocked.
Be prepared. Plan ahead.
My main account was challenge-free
I had to use one of my example Hotmail accounts to run the tests I did because from the moment I arrived in Holland, my primary Hotmail account just worked. I was never asked to respond to a challenge.
I have a theory about why; I have to stress it’s only a theory.
It’s the Microsoft account I use to log in to my Windows 10 machine — the Windows 10 laptop I was carrying with me.
My guess is the machine acts as an additional layer of security confirmation, a pseudo second factor, if you will. That this machine, which had previously logged in successfully (and fairly constantly) in the United States, was now physically present in the Netherlands might be an indicator to Microsoft’s security algorithm making this look less like a hacker trying to break into my account and more like me travelling.
As I said, it’s just a theory.
Virtual Private Networks, or VPNs, can secure your connection within a hotel or other public internet access as well as making it look like you’re in another country. For example, I could make it “look like” I was connecting from within the U.S. while here in Holland.
My attempts to use a VPN failed. I believe this is because the free internet option provided by my hotel blocks VPN communications.1 Had I been willing to pay more per day, I could have given it a shot. I have successfully used a VPN elsewhere, though not in a situation to sidestep additional security challenges.
What I hear from individuals who attempt to use VPNs is mixed. Sometimes they sidestep the security issues; sometimes they do not. All I can recommend here is that if you’re of a mind, or in a bind, try one.
I’ll say it again: if you’re about to travel, particularly to another country, take the time before you go to prepare. That means making sure that you have alternate email addresses and/or phone numbers configured for the accounts you expect to rely on, and you can access them while on the road.
Want some reading material while you’re out and about? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.