data-security-4451541280.jpg Pixabay

What if Two Factor Authentication fails with your Microsoft Account?

Two weekends ago I decided to try out the XDA method of installing Windows 10 on my Nokia Lumia 1520 to see Windows 10 on my unsupported handset.  It took me several cycles of trying the hack and included resetting my 1520 to factory defaults a few times.

The hack became so popular that Microsoft eventually closed the door to that hack by updating the Windows Insider app on Windows Phone. 

So it was in the course of that weekend of testing that I ended up resetting and revalidating access to a few of my Microsoft accounts multiple times as I moved my 1520 between the Windows 10 for phones technical preview and Windows Phone 8.1. 

I lost track of how many times I had codes sent to my phone to verify my identity on those accounts but I use the same cell number, as many of you do, as my primary number for those accounts.  Of course, with two factor authentication enabled I also use a secondary email address to get those codes.

At some point late on that Saturday I started to see an error when I asked for a code to be sent by SMS to my phone for validating one of my three main Microsoft Accounts I access daily. It simply read There was an error sending that message, try again later.

Without much to work with in the error department or any further explanation of how to resolve this error, I was stuck with being unable to validate one account with an SMS.  I was also unable to validate my identity using the secondary email address because I could not remember what email address I had used.

When presented with the options to validate your Microsoft Account you see the phone number and are asked to verify the last 4 digits so the SMS can be sent.  Of course that threw the mysterious error now and was unusable on any of my Microsoft Accounts.

If you have also setup a secondary email account for two factor authentication then that is also presented but only the first 2 letters and the full domain of that email address is shown on screen. You are required to type in the entire email address to get the code sent to you for validation. Of course, the resulting screen does not confirm or refute that you used the right email address – it just says if you entered the correct email address a code would be sent.

Normally validating an account using this method is not a problem but I had used an obscure variation of an email address and despite the two letter hint I could not remember the secondary email address at all.  Couple that with the inability to get a security code via SMS and I was dead in the water with this one Microsoft Account.

So what is one to do at this point? Luckily, I could still receive email from this account because it was working on my other devices so while it was frustrating to be unable to set the account up on my 1520 it was not the end of the world either.  I figured I could wait for the timeout period to pass so that I could once again get security codes texted to my phone for validation.

You would be amazed at how hard it was to get an answer to that question though. I tried through Microsoft Account support, both via Twitter and directly chatting with them through the support site, and the only answer I received was about 24 hours. 

I must add here that I was very impressed with how Microsoft handles locked out accounts that use two factor authentications. No matter how much I asked to verify my identity using other methods, they have a lengthy form you can fill out to provide details of recent emails on your account to help unlock the account, or explained my circumstances on what happened they never budged on the fact that since my account was enabled with two factor authentication they could not immediately unlock it.

My options were to validate it with the text or email method, which as explained earlier, were both unavailable to me or to submit a request to validate my identity and change one of my authentication methods. The only issue with changing one of my authentication methods was that it would take 30 days to make the change. This was intentional to dissuade those who may be trying to hack your account.

So I was suitably satisfied that Microsoft had my accounts safety and security protected even though it was my own actions that locked me out in the first place.  However, I was still stuck and unable to add this account to my phone.

I dutifully attempted to validate the account each day and received the same cryptic error everytime however, on the 7th day I was once again able to send security codes to my phone and got into the accounts settings and had it working again on my phone. So if anyone ever asks how long does it take for SMS codes to reset after being used too much in a short period of time for security codes - the answer is one week.

Now during my lock out I was tweeting about the situation and received a few helpful suggestions.

One of them was to use Windows Phone Authenticator app to get a generated code to validate your identity.  This works great and I have it setup on my primary Microsoft Account but it requires that you access your advanced security settings for your Microsoft Account to establish the connection between that account and the Authenticator app. Since I could not get a code to my phone or remember the email address I had selected as my secondary option this was not possible.  After regaining access to my account settings I did set this up on that account immediately.

Another suggestion was the last resort recovery code on the account. This is another one that works very well however, it is also one you must prepare for as it requires that you access those advanced security settings and print out/save a unique recovery code to regain access to that account. This is another option that I took advantage of as soon as I was able to fully access my account settings.

Of course, when I got back into the advanced security settings of my Microsoft Account I was also able to see that obscure secondary email address I had selected. Immediately after shaking my head in disbelief that I had not remembered it, I changed it to something much more memorable to prevent that from happening again.

So bottom line here is two-fold.

First – Microsoft will not break when it comes to protecting your account if you cannot properly validate your identity using the two factor authentication options selected.

Second – there are ways to back up your two factor authentication methods if they become unusable or inaccessible but they require being setup before that access is lost.

So to stay safe and maintain access to your Microsoft Account be prepared for all contingencies.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish