The story of how I actually contacted the microsoft hotline and tried for two hours to prove I'm not hacking my own account just, because I didn't use it enough.

Background

I own a windows 10 PC which was upgraded from windows 7. And back in windows 7 you simply entered a license key, activated your installation and moved on. Then windows 10 happened and I upgraded, which gave me a local account (my primary user) and the administrator account (I like to keep them apart). So from windows point of view my admin account "owns" the PC. And some friends told me I could just connect it a microsoft account with my windows 10 license, so I won't have to remember any license keys (and probably avoid loosing my license should MS stop accepting old windows 7 keys), which I did. Because of this dual user setup I'm never logged into the admin account, at least not for months, maybe years.[1]

Account locking

So somewhere around last year I wanted to install the HVEC codec for windows, such that netflix might start using the High-DPI resolution I payed for[2], when I noticed that windows told me there was something wrong with my account. So I tried to login into the microsoft account on the windows store (to install the codec), but didn't get quite far because the login said it's locked due to suspicious behaviour.

Turns out, if you don't login enough into the account, microsoft may simply lock the account and tell you to prove yourself as the owner. The account recovery didn't work and I ended up calling microsoft customer service. Which told me to complete some kind of quiz about my account, and only if I score more than 90% correct, I could unlock it.

They also told me that if I dind't succeed it may take months to go through the fallback, where somebody has to unlock it manually. And because I enabled second factor login, they couldn't do anything else. So yes, because I'm using 2FA login, they can't unlock it the normal way, but providing TOTP codes also isn't trustworthy enough to authenticate myself. I could understand if they didn't trust SMS, but TOTP ?!

In the end I was able to recover my account by completing the quiz after multiple attempts and binding the account to a phone number! Lessons learned: Don't ever use a secure second factor authentication in microsoft accounts. And get multiple phone numbers in case you need more than one account, because they really really really like getting your phone number.

Mojang account migrations to microsoft

There is another story to tell. When migrating my mojang minecraft accounts to microsoft (which everyone has to do sooner or later) I registered each one to a new microsoft account, as per FAQ. Then I tried to login to the account from MultiMC, only for microsoft to ask me "for a phone number" to verify myself. Note that I never set up a phone number, they just asked for some number. The same happened on all other two accounts. (All of this was performed from the same IP that just migrated them.)

I pray that microsoft will never tell me that they locked those accounts because I did not log in enough (play enough). Hopefully we will get some alternatives to modded minecraft in the future, which don't involve microsoft accounts.

[1] You also don't have to "use" the account in terms of logging in, you can still do admin tasks by entering the admin account pin from the regular user. [2] It never did, you also need to own a recent intel CPU, AMD won't work. Maybe the SGX removal from intel will change something here.