SoylentNews is people
SoylentNews
I always find the various authentication experiences to be more annoying than reassuring, but until now I've always managed to defeat whatever bizarre scheme a web site has created.
Yes, I'm fan of "Reset Password."
Microsoft though has stopped me dead by refusing me access to an outlook.com [account] even though I have the email address and password.
About three years ago someone established an outlook.com email for an organization. They passed the login info on to me. I subsequently just accessed it via Gmail for the next two years.
Today I tried to log in to outlook.com make some changes. They apparently feel that I am not who I say I am and demand some kind of "authentication."
After a half an hour of repeatedly submitting "Verification Forms" (Names, Birthdate, City, Postal Code, Captchas, Previous passwords....," entering numerous PINs, and generally jumping through hoops, I have concluded that I will never ever access this account again.
Best of all the email quoted below offers no way that I can appeal this to some kind of living being.
Is this the worst authentication disaster ever? Is there any logical reason why you would make it impossible for your customers to ever recover an account?
[Continues...]
We recently received a request to recover your Microsoft account *****@outlook.com. Unfortunately, our automated system has determined that the information you provided was not sufficient for us to validate your account ownership. Microsoft takes the security and privacy of our customers very seriously, and our commitment to protecting your personal information requires that we take the utmost care in ensuring that you are the account owner.
Please submit a new account verification form
At this point, your best option is to submit a new form with as much accurate information as you can gather. The more information you can include in the form, the better the chance you'll have of regaining access to your account. We've included a few tips below to help you fill out the form as completely and accurately as possible.
> Submit a new form
Helpful tips for filling out another form:
Answer as many questions as you can.
Use the information you provided when you created the account, or last updated it.
Submit the form from a computer you frequently use.
You will be asked to list recently used email addresses and the subject lines from recent emails. Ask for help from family members, friends, or business contacts to confirm their email addresses and tell you the subject lines of the last three emails they sent you.
Make sure to use the correct domain for your account, such as hotmail.com, live.com, or outlook.com. Keep in mind that your email address may be country specific. For example, if you created your account in Sweden, your domain would be "hotmail.co.se" rather than "hotmail.com".Ready?
> Submit a new form
Thank you,
Microsoft Support TeamMicrosoft Corporation
One Microsoft Way
Redmond, WA 98052
USA
(Score: 3, Interesting) by Chromium_One on Sunday September 25 2016, @02:02PM
Yeah, no.
the address+foo@ is a nice idea, but I don't see the point. Bad actors who resell email addresses can very easily strip the +foo or any periods from the username filed of your address. Personally I'd rather just generate a new address that directly identifies the org that's getting it. Variants on "companynamebilling@mydomain" is good enough for about everything.
When you live in a sick society, everything you do is wrong.
(Score: 2) by Marand on Sunday September 25 2016, @02:46PM
Who says they're mutually exclusive? Making a separate account for every sign-up ever is unnecessary overkill, so I mix the two ideas.
I have multiple accounts I use, but I also use the +foo thing along with it so that I don't have to check (and manage) dozens of separate accounts. I can have, say, one email for forum type junk and add +sitename to further separate and identify, then do the same thing for a different account dedicated to communication stuff (IM accounts, stuff like that), and so on.
You're right that people can strip the +foo but few (if any) actually do, so it provides easy sorting because I can filter on the incoming address instead of the sender address (which I've noticed sometimes changes as the sender changes their infrastructure, or outsources mailing list duty to another company, etc.)
(Score: 0) by Anonymous Coward on Sunday September 25 2016, @03:49PM
Use something like foo99bar@example.com.
There's lots of software that filters for proper email addresses, and many of them work slightly differently. So if you push the envelope you're asking for trouble.
(Score: 2) by Chromium_One on Sunday September 25 2016, @04:52PM
Why not a new address per account? It's a bit more record keeping for new signups, but not much once you've got a system set up. Any new address is forwarded to (or mail alias is created for) your main address, one filter rule per address to sort to an appropriate folder, done.
When you live in a sick society, everything you do is wrong.
(Score: 2) by Marand on Monday September 26 2016, @04:18AM
Mostly just convenience. If I decide I want to sign up for something I don't have to stop and go set up a mail alias in the middle of it, I just stick a +string on there during sign-up and I'm done. I could get similar behaviour making an address act as a catch-all so that mail to any un-created addresses goes to that one, but I've never liked doing that.
So, I do +foo most of the time because it's fast/easy, then switch to separate addresses if it fails for some reason.
(Score: 2) by Whoever on Sunday September 25 2016, @05:00PM
While this is true, it assumes a level of competence that is not typical among spammers. I run my own domain/MTA and, having registered foo+bar@mydomain style addresses with websites, my MTA gets attempts to send emails to bar@mydomain. Somewhere along the line a script has tripped up on the "+" character.
I have also seen the problem that I can register the foo+bar@address, but not log in with it. In the most recent case, this login problem only applied to the Android app: I was able to log into the website with the foo+bar@ address.
(Score: 1) by ewk on Monday September 26 2016, @10:31AM
"...my MTA gets attempts to send emails to bar@mydomain. Somewhere along the line a script has tripped up on the "+" character."
And if it trips on the part before the '+', email is sent to 'foo' :-)
So that attempt never even reaches your MTA anyhow :-D
I don't always react, but when I do, I do it on SoylentNews
(Score: 2) by NotSanguine on Sunday September 25 2016, @05:56PM
Variants on "companynamebilling@mydomain" is good enough for about everything.
That's exactly what I do. And as soon I don't like the emails I'm getting to a particular address, BZZT! I disable it. No muss, no fuss.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Monday September 26 2016, @08:06AM
If you always use a suffix stripping it off would give them the address for the spam folder. The idea is that the suffixes you actually want email from are whitelisted, and once you start receiving spam on that address, you simply remove it from the whitelist.
That's a different way of doing the exact same thing, except that your method requires your own doman, while the + thing is a gmail.com feature.
(Score: 2) by Chromium_One on Monday September 26 2016, @04:44PM
That's one way to go about it, however ...
No, it's not the exact same thing. The user+foo bit can be fucked with by the sender. A completely different address can't. Also, it does not require your own domain, though that is much, much more convenient. You know there's no real limit on, for example, gmail addresses forwarded to one box right?
No, the user+foo addressing is not a gmail feature, it's standard in how email is supposed to work, mentioned in RFC 5233 and possibly others. Not that people pay much attention to standards.
When you live in a sick society, everything you do is wrong.