Yes, my friends, occasionally the world of tech will spill into this blog as well. But this is not related to my career at all; this is something I experienced while helping out a family member. And I thought I would share the frustration — and the solution.
He has a Microsoft account, based on a Hotmail address. There are 3 devices: his phone, an old laptop running Office 2013, and a new laptop running Office 365. He has some work email accounts, which all remained working fine, plus the personal email — that being the Hotmail account in question.
One day, he does.. something. Let’s say he forgot the password, or perhaps typed it incorrectly too many times. This leads to a slight spiral of confusing actions, involving a password reset and a recovery code, which he faithfully, per instruction, prints on a physical piece of paper (not that we ever needed it). However, something is still amiss.
Outlook 2013 is now continually prompting him for his password, for the Hotmail account. Strangely, also, this old machine still lets him log on to Windows with the old password, even though it’s running Windows 10 under the MS account (not a local user account).
His phone still receives and sends emails just fine — he didn’t even have to re-enter the password there, as far as I know. Also strange. Or perhaps he did re-enter it at some point shortly after he re-set it, but forgot to mention it. Who knows. The point is, he can’t get his personal emails in Outlook anymore, on the old laptop.
Nor the new one, as it turns out. He just hadn’t tried it until I got there. So during my troubleshooting efforts, we turned on the Surface and discovered it, too, in Outlook 365, continually begged for his password, which we of course entered correctly, to no avail.
I tried a lot of troubleshooting, including repairing the account in Outlook’s account properties, removing it and re-registering it, and even removing it from Windows entirely, followed by setting it up again. None of that worked of course.
The actual solution is rather boring, as it turns out. It just took us forever to arrive at it, because MS in no way made it at all obvious, nor provided any direction toward it, until I actually asked for help with Outlook’s support-chat snap-in. The agent replied next-day, which meant I had to tell my uncle to literally let his Surface sit out, open, on, logged-in, all night. Thank God for TeamViewer, is all I can say.
What we found out, thanks to the agent, is that he (the user, not the agent) had somehow enabled Two-Step Verification. This was NOT OBVIOUS anywhere. What it means, apparently, is that after you enter your password, you’ll need a security code that either gets texted to you or uses the MS Authenticator apon your smartphone. This is very similar to Two-Factor Auth, but not exactly the same.
So where do you go to check on this? Again, not obvious. Go to your MS account page in a browser — https://account.microsoft.com/. Then click on ‘Security’, of course. Then.. uhh.. wait, there are only 3 big buttons here. “Change password”, “Update your security Info”, and “Review recent activity”. Well those don’t sound like what I want. Maybe the 2nd one, kinda? Nope.
Read the fine-print. I mean it’s not “fine print” like super-dinky legal jargon, but small enough compared to those big 3 buttons that most people would overlook it. Right underneath it says this:
Done with the basics? Explore more security options to help keep your account secure.MS Clippy
Yep, there you go. Once you click that link, ‘Two-step verification’ is the 2nd option on the list. So, once we disabled that, he was back in business — his current (recently changed) password was now the only thing needed to configure/re-connect all Outlook apps to his Hotmail account.
More specifically, why is this a thing? Well, 2-factor authentication is actually a very good practice, security-wise. For example, when you log in to your bank’s website from a computer that you don’t normally use to do so, they generally want to text/call/email you with a “security code” to make sure it’s really you. Awesome! That means if someone guessed your password, they still couldn’t get in, because if you got that text/call/email while you yourself weren’t logging in to do some banking, you’d say “Not today, Satan!” and deny that sucker.
Now, let’s take the Microsoft account. Sure, it probably has some pretty important stuff — billing info, for one thing, if you’ve ever bought anything from them, like Office 365, or a game on the Xbox. But even if not, there’s still a lot of your personal info there. Plus, your email itself can be used for nefarious purposes, such as.. oh right, that banking example! If you hadn’t set up your phone as a “2-factor auth” contact-point, they might be using your email to send you those security-codes. And if you’re no longer the only pair of eyeballs on your inbox.. Ruh-roh.
So is this “Two-step verification” thing with your MS account all bad? No, of course not. Like anything, consider it holistically with the rest of your online presence and identity management. If you’re particularly worried about hackers, and you understand the trade-offs, go ahead and use it. If you’re fairly confident in your password strength, and you don’t have a ton of ‘risky’ information/connections involved in the account, maybe it’s overkill.
I personally use the MS Authenticator app, because I work in IT and it’s something I’m accustomed to. I have a lot of devices, and I know that the risk of me losing one is higher than most. But this family member’s situation is much more limited and much simpler. Therefore, we decided, he can live just fine without it; all he needs to remember is his password.