I mentioned the following the other day at EMD, but I thought I would mention it here, too.
Based on a blogpost about Outlook's recent security updates I decided to check my own Outlook account. I set up 2FA and have the option of receiving the code on my phone or at an alternate email address.
To test things, I went to a neighbor's house and tried to login to my account on her computer, as a hacker might who had one factor (my password) but not the second. Well, on the code page I clicked on the drop-down arrow and selected the option that "I don't have access to the other items" (again, as a hacker might). Outlook asked for another alternate email -- I gave it my aunt's -- and promptly sent a code to that other address!!
If this is the way MS's 2FA is supposed to work, it's not quite the level of security of Gmail's version, is it? It's like handing accounts to hackers on a silver platter, since many who have enabled 2FA are going to trust that enough to reduce the quality of their own passwords (from, say, 16 characters to 6). And, if my experience is repeatable for others, a whole lot of Outlook accounts are more vulnerable than they were before.
Incidentally, as I recall, my own computer is also a 'trusted pc,' according to MS. My aunt's is not. In fact, she doesn't even have a MS account of any kind. But I still got in to my "protected" Outlook account on her computer using nothing but the password!
Perhaps someone else could confirm this?