[cortesoft]

There are a lot of other ways they could do it.

You could provide a delay feature… if you request this sort of reset, it takes 3 days, and emails are sent to the primary address every day with the count down. If your email isn’t lost, you would see these warnings.

You could let an account holder designate emergency contacts (other accounts) that are allowed to request a reset if you lose your primary email (again with a time delay to allow you to block malicious takeover attempts).

Recovery keys, security questions, real life identity proof, etc, are all other possible options, too.

[aargh_aargh]

I've seen this delay in action when logging in into an old dormant Google account. After I provided correct password (and some other details I remember vaguely - probably no phone number set and some problem with using the TOTP I set up long ago), it sent an email to the linked primary email and waited for a day to give it a chance to abort before logging me in.

The delay is quite a bother but it's surely better than account takeover. What I mind about the process is probably the lack of transparency - what combination of factors (MFA pieces, location, inactive time, ...) launches which process? I get that transparency might help attackers here but they're the ones to have the persistence to figure out the rules anyway. Smells like security through obscurity to me.

[ian_holt]

I quite like that idea also. And I would not have thought it would be that difficult to implement in most systems these days

Having 1 or 2 backup email accounts and/or an SMS sent to a registered mobile phone number seems to me to be relatively simple to implement

Along with a built-in delay, the inconvenience of having to wait is way better than losing access to critical accounts

[theknarf]

Some doors can be designed with a large push handle to unlatch from the inside while still being closed from the outside. Allowing people on the inside to escape out but not the other way around.

[pocksuppet]

May I introduce you to Deviant Ollam's talks? You can fish a wire under the door and use it to push the inner push handle.

[aryan14]

This is actually what microsoft does for microsoft accounts

If you recover a microsoft account / submit a ticket to recover it and provide correct information, the active email gets an email letting them know about the request

You can deny it, or if you ignore it for 30 days the request goes through

Seems to be the best system IMO

[faidit]

Someone has been trying to hack into my MSFT account for years. I constantly get the notifications. I can not see where they are trying from (unlike some other services that give you info about failed login attempts) nor add more security measures. I worry one day I will accidentally hit "Approve" or they will guess the 6 digit code they have tried thousands of times.

The fun part is that you can't disable OneDrive. No matter how many times I turn it off it always keeps turning OneDrive back on to put my private data in the cloud for the attackers. Of course I can't block the methods that are obviously under attack either.

And the lack of a login history view means I have no way to know if they were successful yet. Support has never been good (for legitimate users) and is basically non-existent with AI now.

[azthecx]

You can disable the email you use publicly as a login email.

I would recommend you look at some other guides before you do this but the gist is My Account > Your Account > Manage Account Information. Then you can add a new email that you do not share as your primary login email, and disable login from the email you use to send emails.

[Spare_account]

I have about a dozen email aliases associated with my Microsoft account. On the "Your info" page, under "Account info", one of them is described as "The email address you use to sign in to your Microsoft Account".

However, I can use any of them to initiate a login attempt. I have my account set to passwordless, I don't know if that is relevant (every login attempt triggers an MFA prompt).

If I click on "Edit account info" I am taken to a page where I can choose which address in the "Primary", but given that ANY of the aliases can be used to intiate a sign-in, I don't see any benefit in changing that.

EDIT: I wasn't being adventurous enough. The option to change which aliases can be used to sign in is under (surprisingly) "Sign-in preferences".

In my defence, that page wasn't loading properly in Firefox with all my privacy add-ons enabled. I was able to access it in Edge.

EDIT2: I've changed my primary alias to a newly created one. If I am still able to sign in OK in a couple of days, I will disable the old primary for sign-in. I hope I don't live to regret this!

[hyperman1]

Re Onedrive, as someone who left windows ages ago: Why not just create folders outside your user home? Create some junctions from the inside. Then onedrive gets to sync only your desktop wallpaper and any random stuf apps drop in there, and your real data is safe outside its reach.

[sheiyei]

I think the best defense against this is to delete the Microsoft account and enjoy a better life. (Unless, of course, you need it for Minecraft.)

[codebolt]

The correct thing to do in this scenario is to create a new random login alias on your Microsoft account, make it the primary login alias, and disable login for the all other e-mails tied to the account.

[aryan14]

You can view the recent activity on your Microsoft account @ account(dot)live(dot)com/Activity

Would show any logins or security info updates etc

[Ueland]

Those login attempts which trigger 2fa app does not generate a log entry if unsuccessful. Only attempts with username/password does. For some strange reason.

So there is no way to flag them as malicious and if you accidentally accept, then it’s already too late.

Pretty annoying setup.

[kenjackson]

I have the same issue. It’s absolutely stressful. Id also love some way to mark them as malicious.

[jazzyjackson]

I know they’re always changing things but I’m 99% sure one drive can be disabled with a checkbox either in “turn windows features on or off” or via group policy editor.

[the_af]

> You can deny it, or if you ignore it for 30 days the request goes through

That's a good measure, but it would fail for the attack scenario in TFA: the attacker claims their account was hacked, so presumably (if the support AI "believes" them) the notification email is compromised. If the account was hacked, you cannot let the one receiving the notification cancel your recovery attempt, which they will of course try to do. Of course in this exploit it's all a lie, but what if your account truly was hacked and your were genuinely trying to recover it?

[markdown]

1. Provide a delay of a week. 2. Notify via all addresses on file. 3. Make an admin post (by the account in question) explaining that a 2FA override has been requested. Something you and all your followers can see.

[rpigab]

I think I set up my Apple account about 14 years ago. I have no clue what I put as security answers when I was young, even though I think I have the answers, it won't accept them. I still know my password, I still have access to the email, but because I switched from iPhone to Android, I didn't use the account for years.

Now I want to log in with the correct password, because it's been such a long time, it locks me out unless I give it 2 security answers. I've tried to reset it by email, it still locks me out on next login and asks for 1 security answer, I can't find any answer, I have no clue if it's case-sensitive and details like that. I went to an Apple store, they told me to contact the support, I have contacted the support, they can't do anything. Maybe my last hope is GDPR since I'm in the EU, have the account deleted.

[closeparen]

Apple does this.