A Microsoft recovery code — more correctly, a recovery code for a Microsoft account — is a safety net. It’s a huge safety net, in fact. If you haven’t already done so, I strongly suggest you create one now.
It didn’t dawn on me until recently that these codes are very precious. Having one may be the ultimate proof of Microsoft account ownership.
Become a Patron of Ask Leo! and go ad-free!
A Recovery Code for a Microsoft Account
A Microsoft account recovery code is a magic number proving you’re authorized to access your account. Generate one via your Microsoft account’s security settings before you need it, and keep it in a safe place. If you ever get locked out it may be the only way you’ll be able to regain access to your account.
What a recovery code is
A recovery code is nothing more than a long, complex number. In fact, it looks very much like an old-style Microsoft product key.
Here’s an example:
Five groups of five letters and digits. My calculations make that a number between zero and … well … 8 followed by 39 zeros1. Approximately.
It’s a number that’s generated and assigned to you on request.
Possession is 99.999% of the law
To be clear, this is not two-factor authentication, but it is an additional “thing” — a factor, if you will — that proves you are the rightful owner of an account.
I’ll put it differently: being able to provide the code when requested may be enough to regain access to your Microsoft account should you ever forget your password, be unable to recover it, or get locked out of the account (perhaps when travelling).
A recovery code, then, is very valuable. Once you get one, you need to keep it safe and secure. If you store it digitally, as I do, that means you encrypt it. If you store it physically, perhaps by printing it out, then you save that paper in a very safe and secure location.
There can be only one
If you note the wording of the dialog above closely, you’ll see that it says, “If you previously had a recovery code, it is no longer valid.”
Each time you generate a code for an account, it replaces the previous one.2 Should you get a new one, make sure you replace any previous copies you’ve kept.
My understanding is that a code can be used only once. Make sure to get a new one should you ever use yours.
Get it before you need it
A Microsoft account recovery code is useful only if it’s been created before you need it. You need to be able to log in to your account to create it.
If you can’t log in, you can’t create a code. Without a code, you’ll need to find some other way to log in or recover your account.
How to get a Microsoft recovery code
While signed in to your Microsoft account, click on your profile icon (or initials, if you haven’t set a profile image) in the upper right, and then click on My account.
You may then need to scroll down to click on Update underneath “Update your security info”.
Next you’ll reconfirm either your password, PIN, or other authentication method to confirm you’re authorized to make changes.
Look for “More security options” and click Explore.
Scroll down to find “Recovery code”, and click on Replace recovery code3.
You’ll then be presented with your new code.
How to save your code
As I mentioned above, this code needs to be saved so it’s available to you when you need it, but it also needs to be saved securely so it doesn’t fall into the hands of someone who could use it to hack into your account.
There are several approaches.
- Print the code and save that paper in a safe or other secure location.
- Copy/Paste the code into a text document (perhaps using Notepad), and save the resulting file to a secure location, and/or encrypt the text file using tools such as 7-Zip, BoxCryptor, VeraCrypt, GPG, or other technologies. If you use a password, make certain it’s secure and strong.
- Copy/Paste the code into your password vault if it supports free-form secure notes. Alternatively, encrypt the file and save the password to that encryption to your password vault.
- Take a photo of the code and save the image in some secure manner. (Be careful if you have any sort of auto-upload of your smartphone photos enabled.)
Most importantly, make sure you have access when you need it.
One common scenario where a Microsoft account recovery code comes in handy is if you find yourself locked out because you’re traveling. Possession of the recovery code should prove that you are who you say you are, even if you’re in another country, and should allow you back into your account.
If you get hacked
If someone else gains unauthorized access to your account, they could change the recovery code, and the one you have will no longer work. Not all hackers do this, but some are savvy enough to change all of your recovery information, including this code.
Then you’ll have to follow account recovery instructions to manually regain access to your account, and hope that the process works. (Sadly, it’s not uncommon that it does not.)
And, of course, make sure that you’re always backing up your email, just in case.
Hopefully you’ll never need your recovery code, but if you found this article helpful, you’ll love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and increase your confidence with technology.
Subscribe now, and I’ll see you there soon,
Footnotes & References
1: 36^25 (thirty-six raised to the twenty-fifth power).
2: The recovery code used in the example above was, in fact, the recovery code for my example account… for about 10 minutes, after which I generated a new one, which I will not share here.
3: If you’ve not set a recovery code before, this may say “Create” rather than replace.