I just tried to log into my Hotmail account and got a message saying that for security reasons, I have to enter a code, which will be sent to the mobile number or email address of my choice. So I typed in one of my other email addresses, they sent me a code, I entered the code, and I logged into Hotmail.
We all see the problem here, right?
I think maybe all the smart people left Microsoft in embarrassment over MSWord.
…you have a hotmail account?
Did you only get the code sent to your other email address after entering your valid hotmail password?
I am wondering if I tried to send the code for [presumably] Steven.Landsburg@hotmail.com to my own email address to get the login code, I would have been blocked because I didn’t enter the correct hotmail password in the first place.
Either way, I don’t see the extra authentication being performed here. You either have your hotmail password or you don’t. “Proving” that you are you by entering a completely different mobile or email address does not provide an additional layer of security.
Was this setting up two-factor authentication for future use? If it’s a one-time event where you choose the phone/e-mail address, then of course it’s useless, but I’m skeptical that that’s what’s going on. If you’re committing to a future channel for two-factor authentication, then it does increase your future security.
Is this perhaps not so much to verify your identity this time, as to establish a contract information to be used to verify your identity in the future, or for future password recovery?
Steve S:
Did you only get the code sent to your other email address after entering your valid hotmail password?
Nope. It asked for another address *before* it would allow me to enter my password. I’m nearly sure of this. But even if I’m mistaken, like Steve S. says, it still makes no difference. Someone attempting to access my account either does or does not have my password. If they have my password, then they can get in. If they don’t, they can’t. (To get in, I had to give both my password and the code they sent me.) So where’s the extra security?
Brandon Berg and Anonymous: I don’t see where this adds extra security “in the future” either. Once again, anyone with my password can get into the account (now and in the future); anyone without my password can’t.
Has anyone here experienced Windows 8 in its unadulterated form (i.e. without third-party start button)? It’s so bad it’s downright comical.
I’m particularly amazed at the idea that corporate customers would put up with the substantial costs due to retraining, loss of productivity and sheer aggravation in switching from the familiar Windows interface, to an UI which offers no conceivable benefit whatsoever.
Dude, that’s what you get for still having a hotmail account
“Once again, anyone with my password can get into the account (now and in the future); anyone without my password can’t.”
It might in the future ask you to enter a code sent to the other email address or cell phone before allowing you access even if the password was correct. If that was done when there was something suspicious about your log-in attempt (such as multiple failures or an IP address it didn’t recognize) then surely that is added security ?
#4 is probably correct.
Also, it is perhaps useful for future marketing, since now they know your phone number or another email address.
Advo: I use it on a daily basis and I don’t see the big deal about it. Why would I need a start menu button when I can use the Windows Key and just type the name of whatever app I want to run? I’m stuck with XP on my work computer and that Start Menu is much, much worse, especially if you have lots of software on your computer.
And if I want to open the Explorer, I just use Windows + E. There’s no difference between going to the Start Menu and clicking on “Documents”, and opening the Explorer and also clicking on “Documents”.
Steve, they just wanted to know your phone number. The alternative would be to prompt you in your hotmail account and ask you to fill in your phone number for security reasons in the future. This would probably have a much lower success rate than asking you before you can log in. It seems paradoxical, but they just increased the security account and this procedure made it more likely that you would comply.
is paradoxical, not seems.
Did Hotmail prompt you to change your password after you were logged in?
Bot detection?
yep first thing i thought was bot detection
My first thought was they just linked more things/accounts for data mining purposes.
Lots of places use a “type the following letters” thing for bot detection. This may be irritating, but it is not so awkward as the email thing discussed here. Are these methods inneffective?
I see several possibilities
1. Bot detection.
2. Design error.
3. They are running an experiment on expressed versus revealed preference. “Sure you *say* you want into your email …”
Asking you to enter a security code is probably better than saying, “We want to get more information about you to sell to marketers so we won’t let you access your e-mail unless you give us a mobile number or another e-mail.”
Just like a message saying “Please wait while we verify your security credentials” is better than saying “We don’t plan on spending more money to improve our login times”.
Are you quite sure you literally got to type in the alternative email? I only ask because I got the same message today when signing into my outlook.com account, but I didn’t get to choose; the email and phone number were simply preselected choices (preslected by me some time ago).
@Damien:
The question is – why would I want to type in the name of an app rather than just clicking it? Why should I have to learn hotkeys?
I am sure that if you learn how the unintuitive Windows 8 GUI works, you can become as productive using it as you are with the familiar Windows 7 GUI.
But what the hell for? Why would I want to invest the time and effort? Why would a corporation want to incur the expense?
And then there are the many little things that are just bad. Try backing up your system partition. Use the search function. Try “backup”. Doesn’t get you anything. Try “system image”. Nothing. The term you have to search for is “Windows 7 file recovery”. In Windows 8. That’s just hilarious. And symptomatic. Aside from the fact that it’s stupid having to learn how to use a new OS-GUI which offers no advantages over the old one, Windows 8 is HARD to learn by just using it, because much of it is so unintuitive. That’s the very definition of a bad GUI.
@Steve Landsburg:
I believe the way it works is that from now on, if you or someone else tries to log into your Hotmail account from A DIFFERENT DEVICE (a PC or a Smartphone), a confirmation code will be sent to the alternative email account and/or your phone.
So the additional security is for future attempts at stealing your account. Personally, I prefer GMAIL’s approach which only uses a phone number and not a second email account which can be easily compromised if a hacker has a keylogger installed on your computer. So it is stupid, just not quite as stupid as it appears at first glance.
I know others have said as much above, but this security code was not designed to protect against the current login – rather, it is designed to prevent future malfeasance. It also assists with password recovery in the future.
I suggest the following. This was not a security issue; they wanted an alternate location for you. I remember some email provider wanting something like that from me once. If they simply asked for the alternate address, you could have entered the location wrong or just a fictitious one. This mechanism guaranteed you had to enter a valid alternate address.
Hey, don’t knock it! I used to work on Word…
Bot detection.
You don’t see me writing blog articles about how I tried to log on to a website and they tried to make me write down a code that’s displayed RIGHT THERE ON THE PAGE IN FRONT OF ME.
Yeah – what TimC said at 21. Are you sure you haven’t already given them the alternative email address at some time in the past?
Also, agree with everyone who’s wondering why you haven’t switched to gmail with the rest of the world.
Steve, not to be frivolous, but is not this another version of the liar’s paradox, or the fundamental problem of metaphysics? Do not we l know that there are some things that arithmetic cannot decide?
As few others have mentioned, this is not at all about the security of your current login. In fact, you probably received the request to add the email or mobile number because the system was pretty certain that you were who you said you were (at least, one can hope Hotmail is not just sending this out to everyone at the same time).
This is about re-establishing your credentials after your account has been compromised and closed. Your cat’s favorite food just doesn’t cut it anymore.
The big email hosts (Gmail, Yahoo mail, Hotmail, etc.) are using more and more aggressive algorithms to detect email hijackings and other funny business. So your account is a lot more likely to be locked now than it used to be. So they need a better way of confirming your identity.
I’m actually kind of surprised Hotmail didn’t force you to use a mobile number, like Yahoo and Gmail do. It is the best option for quick and reliable identity confirmation.
@bigjeff5 30:
I think Steve’s bemusement is precisely because what happened is quite useless for what you are suggesting, precisely because it lacks anything traceable like a phone number.
It *could* usefully screen out a bot and it *could* usefully gather information for data mining, which is why those have been suggested.
Ken,
Why not? I don’t understand how asking for contact information can be useless for getting back into contact.
What I don’t agree with is that a cellphone is a more reliable way of establishing identity. If anything, an anonymous cell-phone is more anonymous than an email account. With the former, you would have to track down where Mr. Black Hat bought the cell-phone and hope the store clerk remembers it. In the latter, at least you have a fighting chance of tracking down the IP from where it was signed up.
@Henri Hein: The stated goal, the one that bemused Steve, was that this rigamarole was described as a way to make his account more secure. Well more secure against whom? If a bot then the method works. That’s why I suggest bot detection. But if a malicious Ken B armed with Steve’s hotmail password? The rigamorole has not stopped me. I create a fake email hhein@mail.com and get the code. Against a person who can get past the password protetection already on the account nothing has been added.
@Ken: You dismissed bigjeff’s alternate theory, that the secondary email was going to be used for future issues, not the current authentication. That theory seems strong to me. Bot detection is usually done with captcha-like implementations, or some simple instructions that require natural-language parsing. A second email is not really required. So I’m still not sure why you dismiss bigjeff’s theory.
@HenriHein 34:
Because it doesn’t match Steve’s summary. If they said provide us a contact we will save for futre ues, then yes, but that doesn’t match what Steve said. Plus of course if I had SL’s password I could steal his account now and provide the future link.
Steve said Hotmail needed another contact method for security reasons. That could be current security reasons or future security reasons. An alternate contact method greatly increases security, because it allows lockouts from the account you are accessing without locking you out of the system completely.
I’m firmly in the “for future use” camp. I agree with Henri…nothing in Steve’s summary precludes future use as the motive.
@33 Ken B asks …more secure against whom?. One example is whenever Microsoft detects suspicious activity, i.e. a login from a dubious location, a code will be sent to the contact information supplied by Steve. The impersonator will not receive the code and therefore cannot complete the login. Also, when a password is forgotten, sending a code could be part of the reset process. Whenever certain account information is modified, a code could be sent and must be entered before the modification becomes effective.
If I’m understanding correctly, one of Ken B’s points is the procedure is ineffective when the account was already compromised and an impersonator entered the contact information and subsequently receives all codes. In this case, sending the code fails to serve as a second authentication mechanism. However, I, and I’m guessing Microsoft, believe this rarely happens. Second, a security procedure need not be infallible to be valuable. Third, it increases the probability of Steve discovering his account has been compromised when he eventually notices the bogus contact information or fails to receive a necessary code. Lastly, perhaps there is some chance, probably small, that the perpetrator’s contact information facilitates finding the perpetrator.