Microsoft accounts with no phone number are being locked

[DebianProgrammer]

OS

Windows 10 Home x64

MultiMC Version

0.6.13-2517

Description of bug

On 9/5/2021, I migrated my Mojang account into a Microsoft one. Then yesterday, I opened MultiMC and added my Microsoft account and everything worked. Now today, I opened MultiMC and for some reason i needed to log in again. When i did, it gave me a error saying my account was locked (the error is the picture below). I went to the MultiMC discord and other people were also having the issue. Is it possible that MultiMC could be causing this? I have checked my recent activity in my Microsoft account and everything in there is what i just said.

This issue is unique

• [X] I have searched the issue tracker and did not find an issue describing my bug.

[phit]

my guess is this is related to being a new Microsoft account and unrelated to MultiMC, Facebook and Google are known for similar heuristics with new accounts

[DebianProgrammer]

I knew it had something to do with heuristics, but i wanted to make you guys aware and any other people that may be having the issue. I just don't want to get locked again and not be able to get back in because my minecraft account is in that Microsoft account.

[Forkk]

I'd appreciate if anyone else who runs into this issue would leave a comment here. It would be useful to know if this is only happening to people who have just created a new Microsoft account, or if there is something else going on here. From what I can tell, so far the few accounts that have been locked were newly created accounts.

Either way, this is pretty concerning. Hopefully it doesn't become a recurring issue.

[kthchew]

As far as I'm aware, this is happening to many (all?) new accounts that are created without a phone number. Old accounts without a number seem to work fine (for now).

I tried creating a Microsoft account in preparation for the migration a few months ago (not used for anything), and it was locked. For another new account, I tried adding 2FA with TOTP immediately after account creation, and the account was also locked within a few days.

I did not use a VPN/similar to create the accounts. (I did use Firefox on macOS with privacy.resistFingerprinting on and third-party cookies blocked, however, when creating both accounts - I wonder if a more typical browser configuration or if creating the account as a Windows 10 user account would be less likely to set off the lock.)

MultiMC did not touch either of these accounts at all, so this doesn't seem like it's related to MultiMC, but rather just Microsoft requiring phone numbers to be associated with some/most/all new accounts in a roundabout way (which isn't very fun...).

E: Also, someone on r/minecraft claimed that Microsoft support told them that all new accounts require a phone number (https://old.reddit.com/r/Minecraft/comments/nvjcit/possible_big_change_coming_with_account_migration/). I'm not sure whether this is true, but I wouldn't be surprised.

[triphora]

I'd appreciate if anyone else who runs into this issue would leave a comment here.

Yeah. I created two MSA accounts for two of my accounts on the fifth and migrated immediately after, and added TOTP to it but no phone number. It's now required me to put in a phone number to both to unlock them. I seem to be unable to use the same phone number for multiple accounts (I only have one phone number but multiple MC and MSA accounts), meaning that my other MSA account is locked for good now.

edit: I have the same browser config as the person above and the person below me.

[DebianProgrammer]

(I did use Firefox on macOS with privacy.resistFingerprinting on and third-party cookies blocked, however, when creating both accounts - I wonder if a more typical browser configuration or if creating the account as a Windows 10 user account would be less likely to set off the lock.)

i also have the same browser config

[Forkk]

As far as I'm aware, this is happening to many (all?) new accounts that are created without a phone number. Old accounts without a number seem to work fine (for now).

I tried creating a Microsoft account in preparation for the migration a few months ago (not used for anything), and it was locked. For another new account, I tried adding 2FA with TOTP immediately after account creation, and the account was also locked within a few days. ... E: Also, someone on r/minecraft claimed that Microsoft support told them that all new accounts require a phone number (https://old.reddit.com/r/Minecraft/comments/nvjcit/possible_big_change_coming_with_account_migration/). I'm not sure whether this is true, but I wouldn't be surprised.

Alright, so the lack of a phone number seems to be the common factor here instead of just the age. I wish we had more to go on than what some guy said support told him, but such is life.

Not sure what we can even do about this aside from telling people to add a phone number to their accounts and begging Microsoft to stop this nonsense. Even worse, if you have no phone, I guess you're just SOL.

Anyway, now I'd be interested to hear from anyone whose account has been locked even with a phone number on it, since that would suggest something else going on either instead or in addition to the phone number issue.

[Radagast]

For what it's worth, here's my experience.

I'm on Linux and I've had the Microsoft account I use for Minecraft for years. It doesn't have a telephone number associated with the account, as that is used for another Microsoft account I have. However, it does have an email account from a different provider associated and is used for confirmation purposes.

I'd been using MultiMC Dev with the MS account, without issue, for a couple of weeks. Then, for some reason I had to log in to my MS account again. I believe that was just after MultiMC changed the way they handled the MS account integration. At that point I received the account locked message from the OP.

In my case, I just had to enter the secondary email account mentioned above and my account was unlocked. That was a week or so ago and it's been working fine since.

[DebianProgrammer]

I seem to be unable to use the same phone number for multiple accounts

Maybe you can use a service called TextNow to get a throwaway phone number (which has texting features) and unlock your account using it?

[kthchew]

Alright, so the lack of a phone number seems to be the common factor here instead of just the age.

I do want to clarify that the "few months ago" simply means that I created the account a few months ago and it was locked a few months ago - it didn't take a few months for it to lock, it took a few days. I said what I did about the old accounts because I realized afterwards that I had an old Microsoft account that I forgot about, and when I looked in its info, there was no phone number there. However, it's unlocked and working (for now).

A summary about my old, working account:

• It has no phone number in the account info
• It was made several years ago (don't remember exactly what year, but I think it was around the time Mojang began giving out free Minecraft for Windows 10 codes for those who already had Java Edition)
• It has an email from a third-party attached to it
• It was not made with any strange browser configuration (I think I used Chrome, but I don't remember exactly)
• It has been used to login to the Windows Store app on Windows 10 before
• I have NOT migrated my Mojang/Minecraft account to this account yet, so MultiMC has not touched it

All of this to say, I have no idea what (didn't) trigger a lock.

[LambdAurora]

As far as I'm aware, this is happening to many (all?) new accounts that are created without a phone number. Old accounts without a number seem to work fine (for now). I tried creating a Microsoft account in preparation for the migration a few months ago (not used for anything), and it was locked. For another new account, I tried adding 2FA with TOTP immediately after account creation, and the account was also locked within a few days. ... E: Also, someone on r/minecraft claimed that Microsoft support told them that all new accounts require a phone number (https://old.reddit.com/r/Minecraft/comments/nvjcit/possible_big_change_coming_with_account_migration/). I'm not sure whether this is true, but I wouldn't be surprised.

Alright, so the lack of a phone number seems to be the common factor here instead of just the age. I wish we had more to go on than what some guy said support told him, but such is life.

Not sure what we can even do about this aside from telling people to add a phone number to their accounts and begging Microsoft to stop this nonsense. Even worse, if you have no phone, I guess you're just SOL.

from @wafflecoffee:

I seem to be unable to use the same phone number for multiple accounts (I only have one phone number but multiple MC and MSA accounts), meaning that my other MSA account is locked for good now.

@Forkk all of this phone number non-sense is actually worse, especially the part where a phone number is considered unique and cannot be re-used for other accounts, someone I know got locked out of her MS account, which was newly created for Minecraft, but the thing is, she had another MS account long ago that got deleted, and it had the phone number associated to it, and now she can't link the phone number to her current new account.

[Forkk]

Well, this is pretty disappointing. I'm hoping Microsoft will rethink this policy, but there isn't really much we can do about it from our end.

I'm going to close this now, as it's pretty clear that MultiMC is not causing this issue.

If I learn anything new about this situation, I'll post an update here.

[TheMCNerd2017]

I just came across this issue on here as well as saw that the reddit thread I commented on got linked here, so I figured I'd chime in here about this issue.

Microsoft accounts without phone numbers being locked has been happening for a few years now, and the age of the account does not matter (currently you're more likely to encounter the phone number prompt during the initial account creation). Even worse is that it happens after a random amount of time too and can happen when doing anything with the account (I had an old MS account my sister wanted to use to play Minecraft Bedrock and the account got locked and demanded a phone number the moment she signed in to the game with it; before that it would work fine without a phone number). Since this is something Microsoft intentionally implemented on their account system, you may also encounter this issue in the official Minecraft launcher as well.

Unfortunately the only solution is to provide an SMS-capable phone number when prompted to do so. This also means that it will soon be almost impossible to legitimately play Minecraft Java Edition without providing an SMS-capable phone number.

Why is Microsoft doing this? It's the same reason most other large services (Facebook, Twitter, Google, Discord, etc.) now require you provide a phone number to create an account: they want to tie the account to a real-life identity, most likely for data collection purposes, government laws and regulations, or something more nefarious we don't know about. They could also be planning to enforce more strict guidelines like on the Bedrock Edition, and making alternate accounts far more difficult (and expensive) to create and maintain is the perfect first step in doing so.

Why have they not bothered to mention in the official migration FAQs and content that you basically need a phone number (several if you have alternate accounts) to continue playing the Java Edition? It's simple: the vast majority of people out there (including people that play Minecraft) simply do not care about privacy or security and are used (and conditioned) to giving away their personal phone number to various companies without questions or concerns. Said people also rarely or never use alternate accounts.

Whether or not Microsoft or Mojang will actually change anything or clarify anything in the future is unknown. The only way Microsoft or Mojang would change anything quickly is if there were to be massive backlash from the community about the phone number requirement, which may never happen.

[peterix]

This requirement must be removed for Minecraft, imo. Even the devs have multiple accounts and needing multiple unique phone numbers is not reasonable.

[peterix]

It's that, or finally doing multiple profiles per account.

[TheMCNerd2017]

I completely agree that Minecraft should be exempt from the SMS-capable phone number requirement. But sadly Mojang/Microsoft will never do it since the vast majority of the community does not care about giving away their phone number and other personal information. Also they will never allow you to have multiple Minecraft profiles per Microsoft Account as it would make it easy and cheap to bypass bans from servers. It would also be bad anyways since it means an attacker gets access to all your Minecraft profiles if your MS account gets compromised in any way (through SIM-swap attack, social engineering, phishing, etcetera).

Unfortunately there is basically no way we can change anything now (like getting the SMS-capable phone number requirement removed). Posting about this on the Minecraft subreddit won't work since the post will just get buried and downvoted by the people that don't see any issues with Microsoft's practices. Other subreddits like r/privacy will probably remove it under the "already covered" rule and because Minecraft technically falls under e-sports. None of the big Minecraft YouTubers are probably interested in even covering this issue since it probably doesn't affect them (they have the money to maintain alternate accounts under the new system). Tweeting or contacting the Minecraft developers won't get anywhere since they probably don't have any control over the account migration and its requirements.

The only thing we can really do now is notify other people about what Microsoft's is doing.

[DangerMage]

My account had the same problem, it was new and had a fresh migration. (sorry for the late comment forkk)

[TNTUP]

You might remember me (as Raddah18 on discord) that I had to create a lot of MSA accounts and I followed their docs (3 per day) and they got locked anyway. Still need to unlock 28 more, all of my other alts has been migrated successfully! Good luck everyone!

[NemoCZmoravia]

This is mental. Can't we just sue them or something? I already paid for my 2 accounts and now they want more from me. A phone number is valuable personal information...

[spannerman79]

@Forkk, in reply to your comment;

My MS account is approx 5 - 7 years old. My Mojang account is fairly old too (beta or even alpha can't remember) and yet even I got hit with a locked account/phone number verification requirement.

This is not just for new accounts, either MS or Mojang.

Edit: The only thing that I can think of that might have trigered this is that MultiMC is unverified (see attached)

The only other service that has access is Samsung (MyFiles) and that isn't unverified so 🤷

[JacksonChen666]

i think i deeply regret my migration now cause now my alt account is locked by microsoft, and only can be given back access if i provide my phone number.

edit: i've decided to disassociate my phone number with a microsoft that I don't even use for minecraft, and gave the phone number to microsoft. i then went into the settings to find my phone number nowhere to be found. suspicious

[spannerman79]

edit: i've decided to disassociate my phone number with a microsoft that I don't even use for minecraft, and gave the phone number to microsoft. i then went into the settings to find my phone number nowhere to be found. suspicious

Look under https://account.microsoft.com/profile when signed in with that account and you will see it there.

[zaphod77]

I'm reasonably sure it's the unverified status of MultiMC that's triggering this.

furthermore ,it's not a phone number requirement, but an unlock requirement. if your account has a secondary email, it will use that instead of a phone number.

I think it's this.

https://docs.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-verified

yes, this means you have to publish MultiMC5 on the MS store to make a version that works properly with MS Auth.

That's their real objective here.

[spiegelmaske]

As requested by a previous respondent to the OP I am also having this issue. For the last four or five days I've been randomly kicked off the MC server (privately owned, not realms) and told that the MS account was logged out and I would have to manually log in again. I haven't had anything asking me for a phone number yet... But it is getting kinda shitty.

[dogtopus]

I'm reasonably sure it's the unverified status of MultiMC that's triggering this.

furthermore ,it's not a phone number requirement, but an unlock requirement. if your account has a secondary email, it will use that instead of a phone number.

I think it's this.

https://docs.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-verified

yes, this means you have to publish MultiMC5 on the MS store to make a version that works properly with MS Auth.

That's their real objective here.

What if it's both? Like something is wrong with the MultiMC API key (which are backed by the "ToS violation" message and maybe the unverified status of the app) AND M$ being aggressive on locking out phone-number-free accounts that are newly registered or with sudden service change (which sounds very M$).

Either way it's Extinguish$oft at its finest again :vomiting_face:

[roastchicken]

I've been watching this thread with building dread for migrating my Mojang account. I have a relatively old Microsoft account that was most likely made on an Xbox 360. Logging into my Microsoft account today (using Edge, by clicking on the "Manage my Microsoft account" from W10 Settings) I confirmed that I do not have a phone number registered on my account. I don't believe that I have ever registered a phone number, but I cannot be certain of this. If I did, I removed it because I changed my phone number.

A summary of my account information:

• Most likely created on an Xbox 360, if not then via a typical browser configuration
• Third-party email address
• No phone number currently associated, and I don't believe one ever has been
• Used on an Xbox 360 in the past
• Currently used as a user account on Windows 10 (although I don't log in with it; I'm not an expert on the login system but I use a local password)
• I have yet to migrate my Mojang account (which was migrated from a "Legacy Minecraft Account" back when that happened)

As far as I can tell, this puts my account in a very good position to not become locked and thus require me to add a phone number. However, I'm inclined to wait as long as possible to avoid giving Microsoft my phone number. As most everyone else here, I think it's an awful practice. Unfortunately I also agree that it's unlikely they'll stop; we are the vocal minority.

It seems like we need a control here; someone who migrates their Minecraft account and never attempts to use it with MultiMC. If that account doesn't get locked for a decent period of time, it's likely that @zaphod77 is correct that the unverified status of MultiMC is triggering this. Ultimately, I'm willing to be a guinea pig if verification is on the table. I have no idea what that entails: it might be too expensive, time-consuming, or otherwise not feasible for MultiMC's maintainers.

I would migrate my account right now, except I want to continue using MultiMC 😅 and I have no alt accounts. So, if verification is a possibility: please mention me here and I will (eventually) migrate my account and abstain from MultiMC for the foreseeable future.

[dogtopus]

It seems like we need a control here; someone who migrates their Minecraft account and never attempts to use it with MultiMC.

Actually it's better if we have more data other than 1 since the ban might work on heuristics and are not always 100% guaranteed. In any case, we do need more data. Maybe also monitor the forums/reddit/etc. for any bans occurred on official clients?

[TNTUP]

What I can say about my findings, newly created accounts gets locked after a week, I confirmed it with my friend's alts. Same thing with my alts aswell, its not due to the @domain.tld email, one of my @gmail got locked aswell. Since last 2 months all my alts are unlocked so I'm pretty happy now, but for the others rip if they cannot migrate or cannot unlock ><

[zaphod77]

so these new accounts are getting locked after a week with the tos violation message when not using multimc5 or any other unverified app that has the same permissions?

[roastchicken]

What I can say about my findings, newly created accounts gets locked after a week, I confirmed it with my friend's alts. Same thing with my alts aswell, its not due to the @domain.tld email, one of my @gmail got locked aswell.

Did you use any/some/all of these accounts with MultiMC?

[TNTUP]

What I can say about my findings, newly created accounts gets locked after a week, I confirmed it with my friend's alts. Same thing with my alts aswell, its not due to the @domain.tld email, one of my @gmail got locked aswell.

Did you use any/some/all of these accounts with MultiMC?

No. I created those emails before starting the migration process and they got locked after a week, despite following their terms (about rate limiting on how many accs I could create).

[RusskiyChel]

2 days ago i migrated my minecraft account (that i bought 4 years ago) to microsoft. Today i got banned for no reason and i had to give my phone to unban myself. Btw i have original minecraft launcher.

[dogtopus]

2 days ago i migrated my minecraft account (that i bought 4 years ago) to microsoft. Today i got banned for no reason and i had to give my phone to unban myself. Btw i have original minecraft launcher.

Just curious: How old is your Microsoft account?

[zaphod77]

apparently playing minecraft without a phone number counts as unusual activity.

people are being told to borrow their friends cellphone to do the unlock!

It seems this really is MS trying to leverage minecraft popularity to get phone numbers. :(

[roastchicken]

Thank you for sharing @RusskiyChel!

Maybe also monitor the forums/reddit/etc. for any bans occurred on official clients?

@dogtopus this has never been a solely MultiMC problem; see this reddit thread from June 2021 for example. Although it's possible that Microsoft has a heuristic that results in (whether accidental or intentional) MultiMC accounts being locked more often, this is without a doubt happening across the board. So there's nothing MultiMC can do unilaterally to fix this, although if MultiMC being unverified does have an effect then getting verified would probably improve the situation.

Just Microsoft being Microsoft. The whole "Microsoft Services Agreement" violation is probably BS if people using the official launcher get the same lock message. Why would their own launcher violate their terms?

[zaphod77]

MS really needs to fix this, since pretty sure demanding a phone number on a microsoft account created for minecraft by a 10 year old (e10+ game rating) probably violates COPPA.

[CasperOng]

@zaphod77 agree

[dogtopus]

So there's nothing MultiMC can do unilaterally to fix this, although if MultiMC being unverified does have an effect then getting verified would probably improve the situation.

Yes. That's what I mean by both since M$ is pretty well known for its anti-fraud system to get triggered on nothing. However if MultiMC being unverified somewhat made things worse, that's probably something that MultiMC can fix.

[dogtopus]

MS really needs to fix this, since pretty sure demanding a phone number on a microsoft account created for minecraft by a 10 year old (e10+ game rating) probably violates COPPA.

Pretty sure they will ask for parents' phone to be compliant with COPPA.

[zaphod77]

just seems silly a game rated e can't be played anymore without a phone number on PC. it's quite messed up.

[zaphod77]

also i think it's rather unlikely this app even could get verified, and ms is unlikely to ask if it will help.

Oh and to get an actual "kids account" that will work and not get locked, it seems you need your parent to do credit card AVS to consent for it's creation for 50 cents (not kidding). and yes, this is their COPPA compliance which lets kids play video games.

[roastchicken]

(emphasis mine)

also i think it's rather unlikely this app even could get verified, and ms is unlikely to ask if it will help.

What do you mean by this (the bolded portion)?

Oh and to get an actual "kids account" that will work and not get locked, it seems you need your parent to do credit card AVS to consent for it's creation for 50 cents (not kidding). and yes, this is their COPPA compliance which lets kids play video games.

I believe that most everyone here agrees with you that Microsoft should change their policy. You're preaching to the choir 🥲

[RusskiyChel]

How old is your Microsoft account?

I created it at the time of migration.

[zaphod77]

(emphasis mine)

also i think it's rather unlikely this app even could get verified, and ms is unlikely to ask if it will help.

What do you mean by this (the bolded portion)?

i meant that MS is unlikely to help out there if asked. just really bad typing.

Verify third party launcher for Minecraft? yeah, no...

[dogtopus]

Adding my own anecdote here: I migrated to M$ account a few days ago and so far no ban yet. The account I use is old enough to the point that I forgot how old it is and presumably without a phone officially linked to it. Although M$ should already know my phone # by spying my years worth of emails so I won't really feel more uncomfortable linking it officially in case of a ban . I use both MultiMC and one of my custom "Launcher" build with API key generated from the same account. I never used vanilla launcher after the 1.9 update IIRC.

From the previous ban record, I think I should be in the safe zone (not new Mojang+M$ account with a ton of real activities, with proper account security enabled, etc.) if MultiMC does not really contribute significantly to the ban.

I'll keep tracking it and update if there's a ban in the future.

[kthchew]

A little more than a week ago, I tried making a new Microsoft account, added a recovery email to it, turned on 2FA with TOTP, and didn't do anything else with the account (though I did login every few days to see if it locked). It still isn't locked, though the other accounts I made and mentioned in an earlier comment were all locked within about a week. (I guess it's possible that I just haven't waited long enough and my account will lock any day now, rendering the rest of this comment moot, but I digress)

The difference with this account was that I used a new Firefox profile which did not have privacy.resistFingerprinting enabled to create the account.

I think this configuration option has something to do with it, considering that 3 of the first few comments in a row (including mine) mentioned that they used it, yet the percent of people who use Firefox is quite small (~8% for desktop browsers according to StatCounter), and the percent who use privacy.resistFingerprinting, a hidden config option, is way, way tinier. If this indiscriminately affects all MS accounts, then you'd assume most of the people who have this issue would use Chrome, since most people in general use Chrome as their browser. I assume there's some sort of threshold for whether an account should be locked, and using privacy.resistFingerprinting alone will reach that threshold. (The lock happens after a few days, likely to make it harder to tell why it was locked.)

I'm curious if anyone can confirm that their account has been locked and is asking for a phone number who does NOT use either privacy.resistFingerprinting on Firefox, nor a VPN/similar? If your account has been locked and you do not use either of these, then:

• What did you use to make the account (e.g. Firefox, Chrome, Edge, Xbox, Windows 10 account, etc.)?
• If applicable, do you have any browser extensions/any other config options for privacy that affect the browser you used to make the MS account?
• Was the MS account made on a network shared by many people (e.g. public WiFi, a school, work, etc.)?
• How old was the Microsoft account when it got locked?
• About how old was the Mojang/Minecraft account when you migrated it (if you did so)?
• Was 2FA enabled on the MS account?
• Was a separate recovery email added to the MS account?
• Did you login to the MS account with MultiMC? If so, how long did you do so before the account got locked?

Also, could anyone who's facing this issue and uses either privacy.resistFingerprinting and/or a VPN react to this comment with a 👍🏼 to count those too? Anyone who doesn't use either of those can leave a 👎🏼

---

tl;dr: No guarantees, but if you want to lower the risk of your account getting locked and asking for a phone #, my hypothesis is that you shouldn't use anything like a VPN or privacy.resistFingerprinting to create or login(?) to the MS account.

[dogtopus]

I think you might just got lucky since M$ new account ban should not be 100% guaranteed or more people will start complaining (probably). It might contribute to the ban though (along with tracking protection, adblocker, etc.) and it's pretty hard to tell unless we got a lot more data.

Anyway for me I did use firefox and I just confirmed that privacy.resistFingerprinting is off. Although I do have tracking protection enabled and I do all non-constant logins in private windows (including Minecraft and M$ account).

[mylesbartlett72]

MS really needs to fix this, since pretty sure demanding a phone number on a microsoft account created for minecraft by a 10 year old (e10+ game rating) probably violates COPPA.

And in the EU it probably violates the GDPR, also it is rated PEGI 7. EDIT: Whoops, pressed enter early. The GDPR is also still in force in the UK as far as I know. Also, I haven't had a ban, (I have a second email registered on my Micro$h*t account) on my migrated account (yet).

[autumn-birds]

Has this somehow stopped being a concern since the last comment...?

[mylesbartlett72]

Yeah, can somebody please give evidence as to how this is no longer considered a concern?