screen top
101
7109
1966
1222
2020
1444
102
1103
1935
1940
708
M113
1956
1209
102
8102
1987
044
0051
607
1976
1031
1984
1954
1103
415
1045
1864
103
714
1993
0222
052
1968
2450
746
56
47
716
8719
417
602
104
6104
1995
322
90
1931
1701
51
29
218
908
2114
85
3504
105
08
2001
713
079
1940
LV
426
105
10
1206
1979
402
795
106
31
2017
429
65
871
1031
541
656
764
88
001
27
05
POSTED
2020-06-21
07-081940
08-47148
09-081966
10-31

What passes for security at Microsoft is staggeringly disconcerting.


I've never fully understood the conceptual model for the security of Microsoft Accounts. Google isn't perfect, but I feel like I basically get it.

Part of what's going on here is that I don't really care about Microsoft Accounts... Every account I have has always been a holdover from years past, with various accounts having gotten automatically migrated over to their new unified system.

So I've got this one account, a pretty old hotmail.com address. About a week ago, I got an email at the associated gmail.com address that someone tried to access the account, and the email contained a security code...one I did not request. So definitely an illegitimate signin request. Alright; time to change the password...one of those "same password for everything" passwords I used to use before I wisened up.

So I went to log in from hotmail.com. They sent me a security code to the associated gmail.com address. So far, so good. I entered the code, and I was immediately prompted to change my password... I guess even Microsoft knew that my password was woefully insecure. So I changed the password. Then I was prompted to add a recovery phone number to send recovery codes to. No problem; I added my Google Voice number, the one primary number that I use for everything. You'd think that Microsoft would want to verify control over a phone number before it could be added to an account for security purposes. Nope.

Now, some years ago, a lot of those short SMS code systems struggled with Google Voice. Even GitHub occasionally struggled with it within the last year or so. But compatibility has definitely improved over time.

So after changing my Microsoft Account password and adding the recovery phone number, I was prompted to log in with my new password. But my account was locked due to suspicious activity. I guess changing a password and entering the security code emailed to the associated secondary email address is suspicious. Sigh. So my only option to unlock the account is to enter another security code. But I added a recovery phone number, so now the only way that I can receive the security code is by SMS, and it's asking me to enter the phone number associated with my account. Whoops! The Microsoft security code SMS system can't send the message to my number. I'm guessing it's because it's a Google Voice number. No alternative options available, like sending the code to my gmail.com address. SIGH.

So I figured I was locked out of my account. But on a whim, since I suspected that it was Microsoft's inability to send a message to a Google Voice number, I decided to enter in the number associated with my physical SIM card in my phone. From Microsoft's perspective, this was a random 10-digit US phone number.

Of course, that worked. What in the actual fuck!? Microsoft sent the security code to unlock my account to a random phone number provided by someone who could have been trying to illegitimately gain access to the account...as part of a flow to unlock an account that had suspicious behavior on it. OMFGs.

And then later, as I was looking through the options to add additional account security, it prompted me to verify my account by sending a code via SMSing my Google Voice number (telling me the last 4 digits of the number), calling me at my Google Voice number, or sending an email to the associated secondary email address... Out of curiosity, I selected the SMS option, and this time, it sent me an SMS to my Google Voice number without a problem...

So I'm guessing that Microsoft's "unified" system uses multiple different SMS providers for two-factor authentication.

But good heavens, this is a nightmare mess and absolutely violates even common-sense security practices.

Meanwhile, I have some old hotmail.com addresses that I cannot regain access to (and which I care more about) because I get stuck in weird account verification loops, having provided detailed account information like subject lines of emails and previous passwords that only I could have.

So Microsoft simultaneously has impossibly stringent account recovery standards and also laughably lax standards.

I literally can't even with them.