Microsoft account recovery: a lesson learnt…

TL;DR: Don’t use an alternative email address for account recovery or ID verification purposes that you won’t ALWAYS have access to…

Longer story:

I just bought a new laptop which I intended/hoped would setup quickly based on the settings of my existing laptop – however, for some reason, either (a) MS haven’t backed up my old laptop for six months or so or (b) Acer [the new laptop] or the Windows 11 installer/configurator couldn’t find anything more recent (the backup option presented was too old)

So, using Windows Backup, I tried to backup the old laptop but it failed as  “passwords won’t sync until you verify your identify on this device”. This involves sending a code to your alternative email address.

Many years ago, I setup my work email address as the alternative email on my personal Microsoft account…the problem is, I quit work about three months ago and don’t have access to that email…

[For reasons which escape me, MS aren’t using my phone number (which I usually get text message codes sent to) or the Outlook app on my phone (usually get to match one of three codes pushed to the Outlook app on my phone against a code on the laptop) to authenticate my actions.]

Next, I tried to reset my security information. First, I tried to remove my old work email as my alternative email (intending on using a Gmail address instead) but this step involved sending a code to the alternate email address so that wouldn’t work – no worries, the screen clearly indicated I could cancel this option.

Next, I added Mrs Vlads phone number as a recovery option (my phone number wasn’t an option for some reason) to see whether I could get an authentication code sent to her instead (via text).

Again, the screen at the time clearly gave me an option to cancel that action (switch to Mrs Vlad number) if it didn’t work (it didn’t!).

So neither option is workable and yet, infuriatingly, the cancel option doesn’t work either and, it seems, I’m in now limbo as I’m locked out of changing my account verification options to use a different email address. The “verification” part of my account is now locked for 30 days.

To be clear, I still seem to be able to use my MS account on the old laptop and my phone, as well as signing in ok on my new laptop but if my account is hacked in the next 30 days, I think I’m screwed. And I’m also wary about what would happen should I need to change password and then re-sign in across three different devices

I contacted MS Support via chat and they weren’t much help – they just directed me to the account recovery process.  However, that seems a risky proposition seeing as they’ll lock the account completely if there’s “too much suspicious activity” in too small a time frame.

So, I suggest, change any account recovery email or phone numbers to those you can ALWAYS guarantee access for the the foreseeable future (or at least the next 30 days) so you can obtain the codes before access disappears i.e. make sure you do this before you’re fired or quit work!

I have an old email as my recovery, keep meaning to change it but it’s not obvious so I keep putting it off. I’ll probably learn that lesson once my PC implodes.

Also, don’t click on “Restart and install updates” 30 minutes before you’re due to give a presentation. It’s at 65% with 10 minutes to go.

75%

87%

88%

Damn, stuck on 88%, five minutes to go. I’m gonna take the wrong cable and waste some time trying to get connected to the projector.

Phew, made it with 10 seconds to spare.

Likewise don’t update your phone’s operating system at the gate waiting to board a plane when the only copy of your boarding pass is on your phone. Thought I was an hour early, I wasn’t.

In a similar vein, Google occasionally informs me that some of my passwords have been compromised in one leak or another. Some of these are using an old blueyonder email account which is now inaccessible so there’s no way to change some of them.

Will be many lessons learnt when the next phase of Win11 or Win12 rolls out, and all your data will be in OneDrive*, cloud first, with only copies saved to “your” device, and your device encrypted by default. But it’s OK, M$ will look after the encryption keys for you in your M$ account.
Lose the password or access to your backup email etc. and you have lost all your data, not just access to an account.
OneDrive / Sharepoint is not a backup. Do your own backups. And make sure you have your encryption keys.

(* I call this the NSA backdoor masquerading as a feature that looks really convenient)

@thols2 There are lies, damn lies and software install progress bars!

Likewise don’t update your phone’s operating system at the gate waiting to board a plane when the only copy of your boarding pass is on your phone. Thought I was an hour early, I wasn’t.

I’ve sprinted through train stations at 2% battery once too often. I always print them out ahead of a trip now.

TL;DR: Don’t use an alternative email address for account recovery or ID verification purposes that you won’t ALWAYS have access to

I don’t think from reading your description that that’s a correct summary. Is it not…

Always have at least one valid ID verification method.

If you’ve only got alternative email as a method, and you’ve lost access to that email, then yes you’re in trouble.

Visit https://account.live.com/proofs/manage/additional to check that you’ve got valid methods set up.

Also,

This is another reminder why using ISP-provided or work-provided email accounts for anything you care about is a bad idea. My partner had a Virgin Media address, it took us weeks to unpick it all after she cancelled the Virgin contract.

If you don’t want to use Apple/Google/Microsoft because idk tinfoil hat reasons, Proton mail is security-focused and free.

This is another reminder why using ISP-provided or work-provided email accounts for anything you care about is a bad idea.

It took a similar amount of time to help my in-laws out with an issue for the same reason.

My partner had a Virgin Media address, it took us weeks to unpick it all after she cancelled the Virgin contract.

Virgin are weird. I had a dial-up account with them in about 1996 and the virgin.net email address I got then only just stopped working this year (it spent 1997 to 2024 set to forward stuff to my main address).

I guess it’s arguably more effort to turn it off.

Her VM email I think is still active as of a couple of years later.

Always have at least one valid ID verification method.

If you’ve only got alternative email as a method, and you’ve lost access to that email, then yes you’re in trouble.

Agreed but in my case, MS are pushing codes to the Android Outlook app on my phone (still) and I’m (reasonably) sure they’ve sent me SMS messages in years gone by…so not sure why either of those options aren’t used now