Microsoft has been pushing passkey lately so I revisited my Microsoft Account. Based on the security settings, you can have
Sign-in Method - what you use to login
My thought was to remove the SMS and the email, but Microsoft seems to post a warning against doing that in this link: "If you request removal of all security information in your account, the account is put into a restricted state for 30-days.". I poke around and it appears to mean if you remove your email and phone method. My guess is Microsoft is certain that if you remove your email and phone , they have no way to identify you. Frankly, I don't understand why they can't just make this a required field elsewhere and allow the user to not use it as a verification method. Currently, it appears that if I remove both method, my account may be restricted. I am not going to try to to find out. Has anyone actually tried removing both email and SMS? Note that SMS may have been removed for new accounts.
Microsoft does allow you to remove the password. While I did like that password can be removed, it could not be done because then I can't use the account to login into services like RDP to a server. As a result, I had to retain thee TOTP or the push notification. As mentioned before I still have to have SMS or email as a backup. What is the min method you are using to login to minimize attack surfaces?
Thanks
Sign-in Method - what you use to login
- Password
- Security Key or pin or biometrics
- App - Microsoft Authenticator.
- SMS - supposedly removed now for new users
- TOTP
- Push notification
My thought was to remove the SMS and the email, but Microsoft seems to post a warning against doing that in this link: "If you request removal of all security information in your account, the account is put into a restricted state for 30-days.". I poke around and it appears to mean if you remove your email and phone method. My guess is Microsoft is certain that if you remove your email and phone , they have no way to identify you. Frankly, I don't understand why they can't just make this a required field elsewhere and allow the user to not use it as a verification method. Currently, it appears that if I remove both method, my account may be restricted. I am not going to try to to find out. Has anyone actually tried removing both email and SMS? Note that SMS may have been removed for new accounts.
Microsoft does allow you to remove the password. While I did like that password can be removed, it could not be done because then I can't use the account to login into services like RDP to a server. As a result, I had to retain thee TOTP or the push notification. As mentioned before I still have to have SMS or email as a backup. What is the min method you are using to login to minimize attack surfaces?
Thanks
My Computers
System One System Two
-
- OS
- Windows 11 24H2
- Computer type
- Laptop
- Manufacturer/Model
- ASUS ProArt P16
- CPU
- AMD Ryzen AI 9 HX 370 Processor 2.0GHz
- Motherboard
- N/A
- Memory
- 64 Gb
- Graphics Card(s)
- NVIDIA® GeForce RTX 4070 Laptop GPU
- Sound Card
- N/A
- Monitor(s) Displays
- N/A
- Screen Resolution
- 3840 x 2400
-
- Operating System
- Windows 11 23H2
- Computer type
- PC/Desktop
- Manufacturer/Model
- Home Built
- CPU
- AMD Ryzen 5 5600
- Motherboard
- MSI MS-7C56
- Memory
- 32 Gb
- Graphics card(s)
- AMD RX6600
