Microsoft-Rewards-Bot/docs/accounts.md

👤 Accounts & 2FA Setup

Add your Microsoft accounts with secure TOTP authentication

---

📍 Quick Start

Basic Setup (No 2FA)

Edit src/accounts.json:

{
  "accounts": [
    {
      "email": "your@email.com",
      "password": "your_password",
      "recoveryEmail": "backup@email.com"
    }
  ]
}

ℹ️ recoveryEmail is mandatory. It lets the bot verify Microsoft’s masked hint during login and alert you if the recovery address ever changes.

That's it! Run npm start to test.

---

🔐 Add 2FA/TOTP (Recommended)

Why Use TOTP?

• ✅ Automated login — No manual code entry
• ✅ More secure — Better than SMS
• ✅ Works 24/7 — Scheduler-friendly

How to Get Your TOTP Secret

1. Open https://account.live.com/proofs/Manage/additional (Security → Advanced security options → Additional security).
2. Enable two-step verification and click Next until you see the setup wizard.
3. Click the blue link "Set up a different authenticator app".
4. On the next screen click "I can't scan the bar code" to reveal the Base32 secret.
5. Scan the QR with your preferred authenticator (Google Authenticator recommended to keep data separate from Microsoft) and copy the secret:

• The same secret can stay in your app and be saved in this file (multiple authenticators can share it).

6. Enter the 6-digit code in Microsoft’s wizard to finish pairing.
7. Add the secret to accounts.json:

{
  "accounts": [
    {
      "email": "your@email.com",
      "password": "your_password",
      "recoveryEmail": "backup@email.com",
      "totp": "JBSWY3DPEHPK3PXP"
    }
  ]
}

---

🎯 Multiple Accounts

{
  "accounts": [
    {
      "email": "account1@email.com",
      "password": "password1",
      "recoveryEmail": "backup1@email.com",
      "totp": "SECRET1"
    },
    {
      "email": "account2@email.com",
      "password": "password2",
      "recoveryEmail": "backup2@email.com",
      "totp": "SECRET2"
    }
  ]
}

---

🌐 Per-Account Proxy (Optional)

{
  "accounts": [
    {
      "email": "your@email.com",
      "password": "password",
      "recoveryEmail": "backup@email.com",
      "totp": "",
      "proxy": {
        "proxyAxios": true,
        "url": "proxy.example.com",
        "port": 8080,
        "username": "proxyuser",
        "password": "proxypass"
      }
    }
  ]
}

→ Full Proxy Guide

---

🔒 Environment Variables (Docker/CI)

Option 1: File Path

export ACCOUNTS_FILE=/path/to/accounts.json

Option 2: Inline JSON

export ACCOUNTS_JSON='{"accounts":[{"email":"test@example.com","password":"pass"}]}'

---

🛠️ Troubleshooting

Problem	Solution
"accounts.json not found"	Create file or set ACCOUNTS_FILE env var
"2FA prompt not auto-filled"	Check TOTP secret is valid Base32
"Invalid TOTP"	Verify system time is correct
"Account locked"	Manually unlock in Microsoft Account
"Login timeout"	Check internet connection, try proxy

2FA Not Working?

1. Check secret format — Should be Base32 (only letters/numbers, no spaces)
2. Verify system time — Must be accurate (NTP sync)
3. Test manually — Use authenticator app to verify code works
4. Remove backup codes — Some security settings block TOTP

---

🔒 Security Tips

• 🔐 Use strong passwords — Unique for each account
• 🔑 Enable TOTP — More secure than SMS
• 📁 Restrict file permissions — chmod 600 accounts.json (Linux)
• 🔄 Rotate passwords — Change every 90 days
• 🚫 Never commit — Add accounts.json to .gitignore

---

📚 Next Steps

TOTP setup?
→ Security Guide for best practices

Ready for automation?
→ Scheduler Setup

Need proxies?
→ Proxy Guide

---

← Back to Hub | Getting Started