The Broken Promise of SMS-Based Two-Factor Authentication on Microsoft Accounts (Windows 11 Impact)

This morning I started the process to restore the security information on my account, and that turns out to be the only solution that works: waiting the 30-day period Microsoft enforces.

Interestingly, even though my phone number doesn’t work for receiving verification codes, I did receive an SMS notifying me about the recovery process, along with an email to my recovery address. So the number doesn’t work for verification, but it does work for notifications.

Forget about the account recovery form — it’s useless in these cases. The only way to regain access is to wait out the 30 days, with no guarantee of success. I’ll report back if it actually works.

I’ve documented the entire process of recovering access to Microsoft accounts after losing access to the Authenticator and facing issues with SMS verification. In about 30 days, I’ll publish a comparison based on my personal experience with the account recovery systems of Microsoft, Google, and Apple.

This write-up will be aimed especially at those who are not engineers or system administrators, so they can clearly understand what to expect, what works, and what doesn’t when access to an account is lost.

magpie2025 said:

This write-up will be aimed especially at those who are not engineers or system administrators, so they can clearly understand what to expect, what works, and what doesn’t when access to an account is lost.

Click to expand...

Looking forward to seeing it!

I’m sharing this because I believe the community should be aware.

Microsoft suspended my account on the Microsoft Answers forum after I posted a technical critique of their SMS-based two-factor authentication system. I simply explained how, when SMS messages fail to arrive, users are locked out with no alternative way to regain access. No offensive language, just a real experience that highlights serious issues with security and usability.

Here’s the original post that triggered the suspension: The Broken Promise of SMS-Based Two-Factor Authentication on Microsoft Accounts - Microsoft Q&A

I’m attaching a screenshot of the suspension banner for transparency.

It’s concerning to see legitimate criticism being silenced—especially when it involves something as fundamental as account access. If anyone else has experienced something similar, I’d love to hear your story.

magpie2025 said:

It’s concerning to see legitimate criticism being silenced—especially when it involves something as fundamental as account access. If anyone else has experienced something similar, I’d love to hear your story.

Click to expand...

You are not being silenced, your post is still present for everybody to read.

It is still present on this site as well.

As far as issues such as yours, I am sure that among the billions of Windows users across the world, a good dozen of them might have had the same issue. We will eagerly wait for them to manifest themselves.

Thank you for your comment, OAT.

I fully agree that using Microsoft Authenticator is a good security practice, and I do recommend it whenever possible. However, in this particular case, I'm dealing with a personal Microsoft account used on a work PC, specifically to configure and validate Microsoft services in Windows 11—as the system itself requires. It's not a corporate or managed account, so I don’t have access to advanced recovery tools or administrative support.

Regarding the suspension of my Microsoft Answers account: while my post may still be visible, I’m unable to respond, clarify, or contribute further to the discussion. That effectively limits my voice in that space. So yes, technically I haven’t been “silenced,” but in practice, I’ve been excluded from participating.

That’s why I chose to document my experience here—so that others who might face a similar situation can understand what to expect and how to navigate it. I appreciate the open dialogue and welcome any insights that help improve how these cases are handled.

antspants said:

I’ve never had an issue with 2FA at Microsoft. I use MS Authenticator for Microsoft accounts only, never fails, in fact I think it’s quite brilliant, especially when all you have to do is verify a number by clicking on the corresponding number on your phone.

So is there a question in there or have you just come to vent?

Click to expand...

Totally agree - I use MS Authenticator a lot - works every time. I also use it for Amazon especially.

I also put it on an older (pretty much redundant) android phone with no Sim card as sometimes it can be a bit cumbersome trying to use Authenticator on same device asking for authentication.

Sometimes, I feign ignorance, but this time, I'm not. I'm not really seeing the issue here. The assertion is that if you can't use SMS, there is "No backup options. No workaround. Just a dead end." Every MFA system I've ever dealt with, including Microsoft's, offers multiple methods to identify yourself when the time comes. If one chooses to setup only one method, and not download backup codes at least, whose fault is that, really? I'm sympathetic to someone losing access to an account, but just as it is with data, the time to have a backup is before you need it. Otherwise, it rather does not work.

If your email, cloud services, and operating system login are that important to you (and they should be), then treat them with the importance they deserve.

Exactly.

antspants said:

You can activate as many authentifications as you like. So there’s always an option.
Which (in my opinion) is the clients fault for not enabling satisfactory authentication, not Microsofts, as they have presented multiple authentication options.

Obviously in this screen I just took of my phone and MS Authenticator app, sms currently has a problem. But I have how many other options to sign in? The answer is five.

Click to expand...

Microsoft has experienced several recent failures related to its multifactor authentication system, particularly when SMS is used as the second factor. In January 2025, a global outage affected users who were unable to access services like Outlook, Word, and Excel due to issues in the authentication infrastructure. In December 2024, unexpected deactivations of Office licenses were reported, caused by errors in validating the status of accounts protected by MFA. In November of that same year, services such as Teams, Exchange Online, and OneDrive suffered outages linked to authentication failures, even when credentials were correct.

Regarding the comment about user responsibility in setting up backup methods, I fully agree that anticipating and protecting access to critical services is essential. However, the issue being raised here isn’t just about individual oversight. In many documented cases, users did have alternative methods configured, such as recovery emails or the Authenticator app, yet still encountered blocks or errors that prevented identity verification.

Of course, having backups is vital—but so is the system’s ability to recognize and properly validate those backups when needed. The reliability of a security infrastructure isn’t measured only by offering options, but by ensuring those options are accessible and effective in critical situations.

This exchange of experiences isn’t meant to contradict those who’ve never had issues, but to provide context around real cases that can help improve the system for everyone.