none
Two Step Verification - ABSOLUTELY ATROCIOUS! RRS feed

  • General discussion

  • When I first signed up on Microsoft (to access my X-Box One device), I was provided the option to use the TWO STEP VERIFICATION security option. I thought, "This is smart and awesome. Why WOULDN'T I want to add another level of security in an already terrifying hack-able world?"

    I 100% regret my decision today.

    For starters:

    Two Step Verification means that, in order for you to access your account or reset your password, you would need to DL (download) the Authenticator application on your smartphone. The app provides a numeric code, refreshed every thirty seconds, which you would need to input after entering your email address and password.

    Sounds wonderful, right? Wrong. Why? Because what it doesn't tell you is that once you enable the  Two Step Verification system, it basically means there is NO OTHER WAY to get into your account if you EVER lose access to your Authenticator.

    I have experienced this first hand. Last week, my cell phone was just about destroyed while at work (industrial warehouse). There was no way to recover anything on the phone or access it. I didn't think much about it at the time. I mean, there is usually ALWAYS another way to get into ones account, right? Every other service has multitudes of possibilities to do so.

    Heck, at Google's mail service, you can do a myriad of other verification methods, from emailing your emergency contact or answering security questions that you (the USER) put in place yourself.

    Lone and behold, as fate would have it, Sunday of this week I woke up to find that my Xbox signed me out of my account. No biggie, as I thought I knew the password. But after three times of trying to access it, denied each time, I acquiesced to not knowing and chose to reset my password.

    And THIS is when I learned the REALLY HARD AND DAMAGING IMPACT of Microsoft's Two Step Verification system.

    I click the reset password, input my email address, and answer the (sometimes difficult to read) numeric and alphabetical anti-bot security protocol. It asks for my two-step verification code from my phone (the one that was destroyed). I select "I don't have this". So it then asks for my 25 character recovery code.

    25 character recovery code? Supposedly it is given when you first set up your account. Well, that's not true considering that I just made this new account (the one I created an hour ago) in order to post my grievance and it NEVER provided me with a 25 character recovery code FOR EMERGENCY PURPOSES! 

    And even if it did and I missed it (entirely plausible but with its own question of how that was possible), who honestly saves it or prints it or has it ON HAND ready and waiting to be used for an instance such as RESETTING ONES PASSWORD. In 2 minutes flat at GMAIL, I was back into my account. AND MY GMAIL's never been hacked!

    So I select "I don't have" my 25 character recovery. It asks me to fill out a questionnaire form that will be submitted to Microsoft's Tech Support, verified, and then will contact me in 24 hrs to reset my password. 

    I Waited 24 hrs with no reply. I do some searches to see if others may have had this happen (which is stupid to say considering that it's more than likely that SOMEONE had to have a similar encounter) and I find that it could take up to 30 DAYS for them to respond.

    30 DAYS? Are you (expletive) kidding me? What person has 30 days to kick back? What if this was more than just getting back into ones device? I bet this wouldn't happen if i was a company, right?

    After waiting 48 hrs, with NO contact from Microsoft, I decide to get into their online chat service to see if I can get someone on the line. Wrong idea. Microsoft doesn't BELIEVE in real people anymore, at least not helpful ones. They have a new automated system in place, which not only ISN'T HELPFUL, but provides solutions that send you in a merry go round.

    ------------------------------------------

    Automated AI:

    Reset Password?

    Go to link, and input two-step code.

    Don't have the code? Input 25 recovery code.

    No recovery code? Fill out questionnaire.

    Want to talk to a person? Sure.

    Go to link and sign in.

    (repeat entire process top to bottom)

    ------------------------------------------

    Decided to then actually CALL every Microsoft number that I could find to try to get a live person on the phone. Took twenty minutes of learning how to game the system (because once you say "Reset Password" the automation at the beginning tells you that you can do that online, and then simply HANGS UP ON YOU!).

    Finally got a lovely sounding woman named Maria on the phone. I tell her exactly what has been going on and she asks me to just go through the whole process so she can be sure. I play ball, because it isn't her fault, and after getting through it, she tells me that the BEST SHE CAN DO is to push it to their Tier 3 department to handle. Oh, and wait 24 hrs. (Crickets)

    I ask her if she can just verify I am who I say I am, by accessing my account on her end and having me provide the necessary answers that only I WOULD KNOW! Like CC information, date of birth, what color are my eyes, whatever security questions I had put in place. Oh, wait, Microsoft doesn't BELIEVE IN SECURITY QUESTIONS. That would have been a smart idea, huh, Microsoft?

    Anyhow, she tells me that because I put into place the two-step verification system, of which I cannot access, she can't do anything for me. Nothing except push my questionnaire up the chain. I ask her if there is anything that can be done and she says, "I'm so sorry, no, nothing."

    So, even with a real person, Microsoft hasn't given them the access to do anything to alleviate a customers woes or issues. What was the point in then HAVING a real person? It's just as useless as having an automated service that sends you in a merry go round. And all this while, I own an expensive Microsoft console that is now a piece of shit just sitting on my TV unit, at least for a possible 29 days.

    Oh, there is of course one solution that Microsoft is more than happy to peddle to people in this situation, and it is quite a (expletive) insult.

    Create a new account.

    Really? THAT IS YOUR ANSWER? "Oh, we're sorry that we've completely (expletive) you out of accessing your account when we were the ones who recommended this security to you in the first place. But hey, just create a new one, because its more fun the second time around and we appreciate your service."

    What am I to do with all the apps/games and services I've bought through Microsoft/Xbox stores that are (now!) on an inaccessible account? Any way to transfer all of that to a new account? Why yes, there is. BUT you have to sign in to the inaccessible account in order to do that. MERRY GO ROUND, folks!!!!!!

    They honestly expect you to get a new account and then REPAY for all the items that you already paid for. (expletive) that. What an absolutley horrible company.

    This experience not only has made me regret getting a Microsoft account, but has also made me regret getting an Xbox One. To create a system that has no other alternative is theft and thievery. I've owned Sony PS consoles and never had this issue. I have a GMAIL account, never had a problem. Even AOL (back in the day) was easier than this new age bull that Microsoft is peddling.

    And yet I'm still the sucker still sitting on my hands waiting to use what I (expletive) paid for! But no more money will be shed by me to this corrupt institution or any others that do business with them. And if anyone who reads this agrees, join in the fun.

    Wednesday, March 7, 2018 3:25 AM

All replies

  • I'd ask for help with xbox over here.

    https://www.xbox.com/en-US/forums

    for issues with your Microsoft account you can chat or email them here. (links at page bottom)

    https://support.microsoft.com/en-us/help/12429/microsoft-account-sign-in-cant

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, March 7, 2018 3:59 AM
    Moderator
  • Appreciate the comment.

    Unfortunately, neither option is viable because of the two-step verification system in place.

    Xbox works off of Microsoft, and Microsoft chat doesn't have access and email takes (posted) up to 30 days.

    Because either option requires the Authenticator code that is inaccessible due to my old phone being destroyed 

    Merry Go Round.

    Thanks anyway.

    Wednesday, March 7, 2018 4:31 AM
  • You'll need a second temp account in order to chat / email them. It is the only option. Chat works fine for me. When you get the phone replaced all should be good. When I set it up I was able to choose two methods to receive security alerts (phone AND email) but better to contact support for more help.

    https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, March 7, 2018 4:45 AM
    Moderator
  • Chatting isn't the issue. Their ability to make the necessary changes to allow me to access my account is.

    And since I can't access my account because I no longer have access to the original Authenticator app on the original phone (which was destroyed), I'm SOL until they get back to me.

    Setting up Authenticator on my new phone requires (echo!) a two step verification process, because it requires signing into the account you want to link it to.

    DL it onto a phone of yours, link it to your account, set up two-step, then destroy your phone and try to get into that same account. Just don't have anything pertinent or desired on that account.


    Wednesday, March 7, 2018 5:14 AM
  • Yeah and after you chat with them you will get a response of “we are not able to address thus type of issue on this chat”. I have tried the chat and after 24 hours that was the response Microsoft sent to me. Sunday around 1:30 am I got an email that my information had been removed from my email account. I tryed to log into my email and my password had been changed. I was able to get the password reset but I could not get into the security section of my account because Microsoft had locked me out of this section for 30 days because of resent changes to my personal security settings. Some one hacked my email account and changed all of the security settings on my email and Microsoft locked me out of changing the information back so the hacker now has complet controll of my email account and all the emails in the account. As soon as I got back into my my email the hacker got a notification from Microsoft and logged back into the email and changed my password again and then set up the 2 step process that I had been locked out of and set up the athincation app to prevent me from getting back into my email. After multiple chats trying to get back in my email I called and talked to a lady who said she would send my issue to tier 3 and they will call winthin 24 hours. 48 hours later no call back. Emails get sent saying “we are unable to address this issue” and “because you have set up a two step athincation we ignore this request. So Microsoft is going to let the hacker keep my emails and email account. I tried getting them just to lock the account or delete the account but they have done nothing and continue to do nothing but support how they take their security! That is a load of nonsense because if they did take security seriously then we would not have this issue in the first place!! Just lock the hacker out of my account and shut it down of that is my only option but making me wait for you to take any action is only allowed more time for the hacker to do whatever he/she wants with my information! It is not like they can’t verify locations of logins and know that the account is suspicious and just lock it out or do something more than nothing!!!
    Wednesday, March 7, 2018 5:22 AM
  • I can only relay my experience with the setup. This is "where is" forum for direction on where best to ask questions. There are no forums specific to a microsoft account so you'll need to work with microsoft account support to resolve your issue via the links I provided.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, March 7, 2018 5:24 AM
    Moderator
  • Sorry to hear about your issue. Yours is a worse situation because of the hacker, and it is disturbing to hear that they put more stock in the two-step to guarantee identification or security than seeing the problem the process has created.

    I got the same thing with my chat. They would send it to Tier 3 and call me after 24 hrs. Must be a standard response.

    I'll let you know how my issue goes, and see if anything is different.

    If they are unable to do something, I guess I'll take a look at alternative means.

    Wednesday, March 7, 2018 5:39 AM
  • I understand that, and again, appreciate the comment.

    Unfortunately, Microsoft puts more stock in their two-step process, except in circumstances where you fall into limbo, or my worded touch, merry go round.

    The sad thing is that mine isn't the first time this has happened, and yet they haven't seemed to correct the issue. This shows a lack of care for the commoner.

    Wednesday, March 7, 2018 5:41 AM