It can be very, very frustrating.
This is a scenario I hear frequently.
- Someone travels overseas or to a neighboring country.
- They attempt to sign in to their Outlook.com account to check email.
- After specifying the correct username and password, they’re asked for additional information in the form of a code texted to their phone.
- They have no way to retrieve the message, as their phone is back home or doesn’t work where they’re traveling.
- They can’t sign in.
I’ll review why, what options you have, and perhaps most importantly: how to prepare so this is not an issue.
Become a Patron of Ask Leo! and go ad-free!
Additional verification triggered
Account theft is so rampant that service providers like Microsoft look for clues of suspicious activity. If such a clue is detected — such as a sign-in from an unusual location — additional steps might be required to authenticate and sign in. If you’re unable or unprepared to provide them, you might not be able to access your account.
This technique applies to services other than just Microsoft, but I’ll use them as my example since they seem to cause many inadvertent lockouts.
When Microsoft notices what they term “something unusual” upon signing in to any Microsoft account (not just your outlook.com account), they present a dialog asking you to “Help us protect your account.”
To generate this example dialog, I simulated traveling by turning on my VPN and having it route through The Netherlands (a country I’ve been known to actually travel to).
I proceeded to log in normally, entering my email address and password. Rather than taking me to my inbox, the dialog box above was displayed with several options to further confirm that I am the rightful account holder.
What is “something unusual”?
As listed in that dialog, there are several scenarios qualifying as “something unusual”:
- Signing in from a new location (as I made it appear).
- Signing in from a new device.
- Signing in from a new app on an existing device.
I’m pretty convinced other scenarios can trigger additional verification as well.
I’m also pretty convinced that #1 on the list is “signing in from a new location”.
Why? Because that’s where hackers usually are.
Why a new location matters
Microsoft is attempting to battle account hacks. Please believe me when I say that your account, my account — everyone’s account, regardless of provider — is under constant automated attack from hackers. Microsoft accounts, specifically, seem to be a popular target.
Unfortunately, hackers are both persistent and surprisingly often successful.
But one thing we know about most of these hacks is that they often originate “somewhere else”, in countries other than the one in which you reside (or even other areas within your country).
When Microsoft sees a new login from a new location, they err on the side of caution by asking for additional verification.
This is a good thing. This keeps the hackers attempting to break into your account from being successful even if they somehow know your password.
Unfortunately, if you’re traveling and haven’t prepared, it can also keep you from being successful.
Preparation means having options
In my example above, you’ll notice I have several options to prove that I’m the rightful account holder.
- An email message sent to an alternate email address.
- An email message sent to a different alternate email address.
- A text message sent to a phone number.
- A voice message delivered to a phone number.
I set up each of these three items (two email addresses and the phone number) in advance, as part of the recovery information associated with the account. Proving that I can access any of these — by providing the code delivered to the one I choose1 — proves that I’m the person who set up the account.
In other words, it proves that I am who I say I am, and I should be authorized to access the account.
You must set these up beforehand. As you can see, you can set up multiple methods of validation, but you need to have them in place before you need them.
And even then, there’s a catch.
The catch: traveling
Even if you’ve done due diligence in setting up these account validation and recovery options beforehand, there’s one catch that many people miss.
You need to be able to access them when you’re away from home.
- You need to be able to log in to one of your alternate email accounts to receive a code. If they’re all also protected by some kind of additional security that triggers when you travel, you may not be able to.
- You need to be able to receive a text message or phone call made to the phone number you have configured. If you don’t have access to this number while on the road, this approach may not work.
In other words, if you don’t have access to any of the alternatives listed, you may not be able to log in to your own account, at least not until you return home.
In addition to setting up account recovery options (which you should do anyway) you now need to make sure that at least one, if not more, of the recovery items you’ve chosen will be accessible while you’re traveling.
If not, then you might want to:
- Set up an alternate email account with a provider that doesn’t perform this type of additional security check.2
- Add two-factor authentication using an authentication app such as the Google Authenticator or Authy. These apps do not require connectivity when used.
- Generate account recovery codes that act as one-time passwords or authorization codes that you then carry with you in some secure manner. (Not all services support this type of code.)
- Explore your service’s options for additional account validation options.
If it’s too late — if you didn’t set any of this up beforehand and you’re now on the road and don’t have access to any of the alternate authorization items listed for your account . . .
You may be out of luck.
You may simply not be able to access your account until you return home. Though it’s small solace, take heart in knowing that hackers have also been prevented from breaking into your account.
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!
Footnotes & References
1: This is a subtle form of two-factor authentication. Something you know (your password) plus something you have: access to one of these second authorization mechanisms.
2: I do this using a domain I own, so that this email comes to me first in ways I can access from anywhere. You might choose your ISP’s email service, or a less popular email service. Unfortunately, I know of no way to test it beforehand, other than by using a VPN such as I used to create my example.