mirror of
https://github.com/LightZirconite/Microsoft-Rewards-Bot.git
synced 2026-01-09 17:06:15 +00:00
4.5 KiB
4.5 KiB
👤 Accounts & 2FA Setup
Add your Microsoft accounts with secure TOTP authentication
📍 Quick Start
Basic Setup (No 2FA)
Edit src/accounts.json:
{
"accounts": [
{
"email": "your@email.com",
"password": "your_password",
"recoveryEmail": "backup@email.com"
}
]
}
ℹ️
recoveryEmailis optional but recommended. It lets the bot verify Microsoft's masked hint during login and alert you if the recovery address ever changes. Simply leave it empty ("") if not needed.
That's it! Run npm start to test.
🔐 Add 2FA/TOTP (Recommended)
Why Use TOTP?
- ✅ Automated login — No manual code entry
- ✅ More secure — Better than SMS
- ✅ Works 24/7 — Ready for external schedulers
How to Get Your TOTP Secret
- Open https://account.live.com/proofs/Manage/additional (Security → Advanced security options → Additional security).
- Enable two-step verification and click Next until you see the setup wizard.
- Click the blue link "Set up a different authenticator app".
- On the next screen click "I can't scan the bar code" to reveal the Base32 secret.
- Scan the QR with your preferred authenticator (Google Authenticator recommended to keep data separate from Microsoft) and copy the secret:
- The same secret can stay in your app and be saved in this file (multiple authenticators can share it).
- Enter the 6-digit code in Microsoft’s wizard to finish pairing.
- Add the secret to
accounts.json:
{
"accounts": [
{
"email": "your@email.com",
"password": "your_password",
"recoveryEmail": "backup@email.com",
"totp": "JBSWY3DPEHPK3PXP"
}
]
}
🚫 Skip the Recovery Email (Advanced)
If an account genuinely has no recovery address or you prefer not to provide it, simply leave the recoveryEmail field empty:
{
"accounts": [
{
"email": "example@outlook.com",
"password": "strong_password",
"recoveryEmail": ""
}
]
}
ℹ️ The bot will automatically skip recovery validation when this field is empty. A warning will be logged during startup, but the bot will function normally.
🎯 Multiple Accounts
{
"accounts": [
{
"email": "account1@email.com",
"password": "password1",
"recoveryEmail": "backup1@email.com",
"totp": "SECRET1"
},
{
"email": "account2@email.com",
"password": "password2",
"recoveryEmail": "backup2@email.com",
"totp": "SECRET2"
}
]
}
🌐 Per-Account Proxy (Optional)
{
"accounts": [
{
"email": "your@email.com",
"password": "password",
"recoveryEmail": "backup@email.com",
"totp": "",
"proxy": {
"proxyAxios": true,
"url": "proxy.example.com",
"port": 8080,
"username": "proxyuser",
"password": "proxypass"
}
}
]
}
🔒 Environment Variables (Docker/CI)
Option 1: File Path
export ACCOUNTS_FILE=/path/to/accounts.json
Option 2: Inline JSON
export ACCOUNTS_JSON='{"accounts":[{"email":"test@example.com","password":"pass"}]}'
🛠️ Troubleshooting
| Problem | Solution |
|---|---|
| "accounts.json not found" | Create file or set ACCOUNTS_FILE env var |
| "2FA prompt not auto-filled" | Check TOTP secret is valid Base32 |
| "Invalid TOTP" | Verify system time is correct |
| "Account locked" | Manually unlock in Microsoft Account |
| "Login timeout" | Check internet connection, try proxy |
2FA Not Working?
- Check secret format — Should be Base32 (only letters/numbers, no spaces)
- Verify system time — Must be accurate (NTP sync)
- Test manually — Use authenticator app to verify code works
- Remove backup codes — Some security settings block TOTP
🔒 Security Tips
- 🔐 Use strong passwords — Unique for each account
- 🔑 Enable TOTP — More secure than SMS
- 📁 Restrict file permissions —
chmod 600 accounts.json(Linux) - 🔄 Rotate passwords — Change every 90 days
- 🚫 Never commit — Add
accounts.jsonto.gitignore
📚 Next Steps
TOTP setup?
→ Security Guide for best practices
Ready for automation?
→ External Scheduling
Need proxies?
→ Proxy Guide