MS Account Security

MS Account Security: a reader asks…

I received an email, supposedly from Microsoft giving me a code for my account password reset. Is this legitimate? I don’t even know if I have a Microsoft account. I have a Windows 10 PC.

Thanks for forwarding the actual message, that way I can check the html links that are embedded in the email. This email appears legit. This is typical of an email response from an online entity that is attempting to verify your identity. It could have been triggered by something you did, such as if you forgot the password on your Windows 10 user account and/or wanted to reset that, or if you were trying to log into a Microsoft website and chose the ‘forgotten password’ feature. Or some other security-related event that affects your Microsoft account.

That email contains a code which you would use on a verification page. This is an example of “2-factor authentication”, which I’ve previously written about here, here and here. Many online services are now using 2-factor authentication to help confirm your identity online. In a nutshell, 2-factor authentication requires something you know (your username and password), and something you have (a code generated either by the online entity or an app or device you have) in order to prove your identity. This helps prevent hackers who might have just your username and password from getting into your account.

And yes, you most likely do have a Microsoft account. When Windows 10 debuted, Microsoft pushed everybody they could into creating a Microsoft account for their user account in Windows. So when you first set up your new Windows 10 PC, the setup wizard guided you into creating such an account.

Sometimes Windows 10 gets…confused?…and needs to verify your account. You can see this verification feature as a link on your Windows user account page (Start > Settings > Accounts > Your Info). You can see several links that would connect you to your online Microsoft account including a “Verify” link.

I don’t know if you did something that caused Microsoft to send you that verification email with the code, or if some hacker was trying to gain access to your account at Microsoft. Regardless, you should verify that you are the only one that is accessing your account. To be on the safe side you may want to change your password. But first…

Advertisement

I would suggest you go to https://account.microsoft.com/security/ and log into your account, then click the link “View my activity” (the left-most box above). That will take you to a screen where you have to verify your identity – either by receiving an email or a text message with a code like what you received.

Input that code in the space provided and you will be able to see everywhere in the world where you are logged into your Microsoft account (and where an attempt was made to log into your account).

For example, here’s a screenshot of my account activity (cropped). As you can see, someone attempted to log into my account from Egypt, but they were unsuccessful.

If you see any place other than your own home or other location you use and know about, then your Microsoft account might be compromised and you should change your password (using the 2nd block “Change my password”). Please note in my example above there’s a link that I could click to help secure my account. If your account is already protected with 2-factor authentication, then you may not need to do anything further, although I would still suggest you change your password.

Once you’ve changed your password online, you should also use that new password when logging into Windows 10 on your PC as the old password will no longer work. You may have setup a PIN to use instead of a password, if so, Windows will force you to re-validate that PIN with the new password the first time before you can resume using your PIN to log into your computer.

lastpass-callout-screenshot

And please, don’t use an easily guessed password, or one you’ve also used elsewhere online now or in the past. All passwords should be unique and be long (e.g., at least 15 characters) – the longer the better. It’s impossible for most of us to keep track of all the various passwords/login credentials we use, so I suggest you use a password manager like LastPass. That service will help you create strong passwords and help you keep track of them so they can be used when needed without you having to remember them.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.