If you don't have access to your account recovery phone number or alternate email address, there is a process you can go through to regain access to your account -- maybe.
I get so many variations of this question.
The most common scenario is travel. If there’s something “different” about your attempt to sign in — and being in a different country qualifies — Microsoft now often requires that even if you know your password, you must provide additional security confirmation. Usually, that’s a code sent to your phone or alternate email address.
I cannot stress this enough:
It is critical that you keep your recovery information up to date.
Not doing so is by far the fastest way to lose access to your account — forever — should something go wrong. It’s also a way to end up unable to access your email while traveling.
While many feel that the approach is somewhat ham-handed on Microsoft’s part, the reality is they’re fighting an incredibly difficult problem: account theft.
I’ll review the steps I believe you need to take and explain why this is happening.
Recovering a Microsoft account
If you forget your Microsoft account password or it just doesn’t work, and you can’t access your recovery phone or email, start the account recovery process. Start to sign in to Outlook.com but click the “Forgot password?” link. Provide as much information as possible to prove your identity. If unsuccessful, you may lose the account. Keep your recovery info current to avoid this situation.
I know my password, but…
Almost everyone who comes to me with this or a similar problem is convinced they know their password and they’re typing everything in correctly, yet they still cannot log in. Either through an account hack, simply being wrong about being right, or being faced with that additional security step from Microsoft, they’re blocked from logging in.
On top of that, they do not (perhaps temporarily, while traveling) have access to any of the accounts or phone numbers they set up as alternates on their Microsoft account (any Outlook.com account, including Hotmail). Thus, when the login process attempts to send a verification code to one of those accounts or numbers, the frustrated account holder can’t access it.
At that point, the only approach I’m aware of is to begin the account recovery process.
Account recovery without a password
Note that not all recovery mechanisms may be available for all accounts and in all situations. Not only do things change, but exactly which will be available may depend on your account settings and perhaps even where you’re located.
After entering your email address at the outlook.com sign-in screen, you’re prompted for your password.
Click on Forgot password? for a list of ways to get a security code to prove your identity.
This is recovery information that you previously set up in your account configuration. If you have app-based two-factor authentication enabled, you may be asked for your current two-factor code, or using it may simply be an option, as shown above.
In my case, I have two email addresses as well as my authenticator app.
Assuming you didn’t set up recovery information or lost access to those you previously configured, click on I don’t have any of these. You may then be given the opportunity to enter a previously established recovery code.
Assuming you don’t have one, click on No. (If you do have one, great! You’re probably back into your account.)
Continue below at Recover your account.
Recover your account
The recovery process now switches to a possibly manual account-verification process.
You once again provide the email address of the account to which you are attempting to gain access, as well as another email address at which you can be contacted. This second email address is completely unrelated to this account, and can be any account to which you currently have access. This is the email account Microsoft will use to get back to you.
Click Next. You may be sent a code to the second email account, which you’ll enter to verify you have access to it. You’ll then be presented with a page requesting an assortment of information.
This page asks you to provide as much information as you can about the account, including:
- Your name and birth date.
- Your location.
- The answer to your security question(s), if you had one or more set up.
- Other passwords you may have used on this account in the past.1
- The subject lines of any emails you may have sent recently.
- The names of any folders you’ve created in your account.
- The email addresses of any contacts to which you’ve recently sent email.
- Billing information, including a credit card, if you have any associated with the account.
The goal here is to provide enough information to prove you are who you say you are: the rightful account holder.
And again, it’s important to provide as much information as possible.
Once you’ve done so, click Submit.2
Now you wait.
The information is submitted to Microsoft, and something happens. What that something is we don’t know, but I would presume it’s a combination of mostly automated attempts to verify the information you’ve submitted against the account. I say “mostly” automated, because I would assume some need human verification.
If you’ve given enough information, and that information itself is enough for the system to trust that you are the correct account holder, you’ll be emailed a password reset link.
The “best option” listed is pretty much your only option at this point: go back to the account information form and provide additional and more accurate information.
Important: if you cannot do this — if you cannot provide sufficient information to prove you are the rightful account holder — I know of no way to proceed and regain access to the account. The account is likely lost, and I cannot help you.
Why all this hassle?
It may be hard to accept, but all of this is for your protection. Seriously. This process has probably already prevented your account from being hacked in the past.
Account hacking and theft are huge problems. Microsoft accounts have been prime targets for hackers for years. Microsoft has responded with these measures to keep hackers out and legitimate account owners in.
From their perspective, it’s better to lock you out than erroneously let a malicious hacker in. I’d have to agree: I’d rather no one be able to access my account if the alternative is the possibility a hacker might.
Avoiding this hassle is simple: you must keep your recovery information up to date. Without it, you may not be able to prove that you’re the legitimate account owner.
The potential delay
Upon regaining access to an account, or sometimes before being able to access an account being recovered, Microsoft will sometimes enforce a delay of up to 30 days.
As frustrating as this can be, it’s another security measure designed to keep your account safe.
When you make a change to an account — like resetting its password or changing the recovery email or phone — Microsoft sends a notification to the old address. This message also allows the change to be aborted.
If you are not in the process of making the change yourself, this delay gives you 30 days to tell Microsoft “It’s not me, it’s a hacker. Disallow the change.”
If you are in the process of making the change, or even just trying to log in, I agree it can be annoying.
Do this
If you can get into your account again, or if you end up setting up a new Hotmail/Outlook.com account, please:
- Make sure you have a recovery email address associated with it. I recommend using a different service — the issues with overseas travel that might cause hassles on your Microsoft account could also cause those same hassles on the recovery account if it’s also a Microsoft account.
- Make sure your recovery account remains current and active. Log into it from time to time to keep it open, even if you use it for nothing else.
- Set up a recovery code.
- Set up a mobile number, or even use a smartphone app if you have one, to provide even more recovery options.
- Set up more than one recovery option. You’ll note in my example account I had two different email addresses in addition to my two-factor authenticator.
And above all, remember to keep all that up to date.
