Alan

@sourcejedi
38 Followers
66 Following
431 Posts
he/him
Bluesky (it has resources)https://bsky.app/profile/sourcejedi.bsky.social
superuser.com / StackOverflow etc.https://superuser.com/users/110495/sourcejedi
Blog?https://sourcejedi.github.io/
Other site(s) alsosourcejedi
Show threadAlanApr 26
@rmondello "Passkeys, as defined by the NCSC, are always synchronised."
https://www.ncsc.gov.uk/paper/traditional-user-and-fido2-credentials-personal-use
Show threadAlanApr 20
I tested the implications of the updated #Microsoft account system. My results are written up here:
https://sourcejedi.github.io/2026/04/20/microsoft-contact-info.html
Do Microsoft accounts require a recovery email address or mobile number?

Shortly after I finished writing up their security and recovery system, Microsoft decided to change it. So I went back again and checked how everything works. These are my test results.

Blog?
Show threadAlanApr 20
I found the support page for the change to personal #Microsoft accounts:
https://support.microsoft.com/en-us/account-billing/microsoft-to-stop-sending-sms-codes-for-personal-accounts-31b80825-bdd0-4bf2-926b-dca3c35ee4c1
Microsoft to stop sending SMS codes for personal accounts - Microsoft Support

AlanApr 19

@sourcejedi
This is a test post.

(Does Mastodon do the Twitter thing where you can @ someone at the start of your message, and it doesn't get shown on your own timeline?)

Show threadAlanApr 15
They have this whole nag screen that *forces* you to add an email or a mobile number, and now they're saying the only option is to add a third-party email?
https://support.microsoft.com/en-gb/account-billing/troubleshoot-microsoft-verification-code-issues-409090c4-92b5-42b9-8ae6-bcc97e62fc48
Show threadAlanApr 15

I have a (test) @outlook.com email account which doesn't have a mobile number. They're now insisting I cannot unlink my third-party email account.

To have an @outlook.com email, you need to have... another email account?

Even though this @outlook.com account is linked to both Microsoft Authenticator, and a passkey.

Show threadAlanApr 15

"For increased security, you can no longer add a phone number."

I literally saw Windows ask to add a phone number last Tuesday.
https://support.microsoft.com/en-gb/account-billing/microsoft-account-security-info-verification-codes-bf2505ca-cae5-c5b4-77d1-69d3343a5452

Microsoft account security info & verification codes - Microsoft Support

Learn how to manage your Microsoft account security info and troubleshoot verification code issues.

AlanApr 15

News to me: "Microsoft is committed to advancing security standards and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts."

This note was added some time in 2026. https://support.microsoft.com/en-gb/account-billing/how-to-use-two-step-verification-with-your-microsoft-account-c7910146-672f-01e9-50a0-93b4585e7eb4

Not something they can do quickly, but it does show the direction they want to go.

How to use two-step verification with your Microsoft account - Microsoft Support

Get answers to some basic questions about what two-step verification is, and how to set it up and use it to help keep your Microsoft account more secure.

Show threadAlanApr 15
@0f1ab009
If you haven't turned on "two step verification", and you sign in on a new device, it may automatically invite you to save a passkey on the new device. It does not ask for any extra verification to do that.
AlanApr 15

I wish Microsoft account (personal) was a bit better documented. 🤯

It's possible to add a #passkey / Windows Hello, without having provided 2FA. Naturally, you can't turn around and use that passkey as 2FA.

But if you sign in with that passkey and then provide 2FA, Microsoft sets a flag and you can use the passkey as 2FA going forward.

(By default, 2FA is required for some actions like opening "Additional security options".)