Last night, my wife received a call from a relative who received a strange pop-up after logging into her Hotmail account. It was a notice from Microsoft stating, “A Password Isn’t Enough.” This notice requested additional information from her including: her phone number, an alternate email address, and other information.
My wife then brought the situation to my attention, asking if this was some sort of a phishing scam or if her account had been taken over by some malicious outsider. When we received the same message logging into the account from our end, the idea behind this popup became clear.
It was Microsoft’s strange way of asking for additional information in the event that an account becomes compromised. After all, asking for a password reset after gaining access to a single email account is an easy way to compromise someone’s email account. It happens all the time, and this is where additional verification information comes into play.
By adding a phone number, you are making it possible to have your phone added as a type of two-stage authentication for account changes such as password resets, removals, etc. That isn’t to say you have to have your phone with you log in, but unless an outsider has your phone, it’ll be difficult for them to prove that they’re you when making serious account changes (or you’ve reported the account as being compromised).
The short answer: No, your account has not been hacked just because Microsoft is asking for this information. It’s simply an extra security precaution that we can all hope Microsoft never has to use. You can refresh the page and log in just fine without volunteering this information, as well.
Microsoft has apparently done a poor job of wording this page, or warning customers that this action is necessary. Upon searching for the phrase, I found no immediately available resources from Microsoft explaining the popup or why it was suddenly activated on so many user’s accounts. Further to that, forums (including those hosted by Microsoft) are filled with complaints from users concerned that this is nothing more than a phishing scam.
There are some reports out there of non-US phone numbers being rejected or unable to validate. Argentina being one example of a region impacted by this issue.
Despite the wording stating that passwords are not enough, users can access the site just fine with only a password. This isn’t so much a bug as a point of clarification required on the part of Microsoft. If you want this pop-up to appear less suspicious, it’s better to word it in a way that doesn’t make that new information appear required for log in purposes. Put a reminder to fill that information out in an email to users, or make a popup within the mail application itself asking for that information in the event that something goes awry.
Have you received this pop-up? Did you enter any information in, or did you close it like so many others have?