Microsoft Phasing Out SMS Authentication Codes for Personal Accounts in Favor of Passkeys

Microsoft has announced that it will discontinue SMS-based authentication and account recovery for personal Microsoft accounts. The company updated its support documentation to reflect this change, having previously hinted at the move earlier this year. Going forward, SMS codes will be replaced with passkeys, passwordless accounts, and verified secondary email addresses.

While Microsoft has not set a specific date for the transition, it is introducing a redesigned authentication process that encourages users to set up a passkey during sign-in.

Why Microsoft Is Phasing Out SMS Codes for Personal Accounts And What It Recommends Instead

Microsoft considers SMS-based authentication a security risk. The company points out that attackers can exploit plaintext mobile messages for fraud, phishing, and SIM swapping. Additionally, SMS authentication faces reliability issues, with codes sometimes not arriving or arriving late.

This change puts Microsoft in line with a broader industry trend away from SMS two-factor authentication, which security organizations like NIST have recommended deprecating for several years.

When users sign into a Microsoft account, they will notice a new option called "sign in faster" that creates a passkey on the device. Passkeys are cryptographic credentials that authenticate the user without needing a password or SMS code. They are linked to a specific device and can be unlocked using biometrics or a device PIN.

Microsoft's guidance explains several ways to store passkeys. Users can save the passkey in a password manager, store it on a smartphone for cross-device authentication, or use Windows Hello biometric hardware for local access.

Account recovery is changing to rely on verified secondary email addresses. Microsoft states these are more resilient than SMS for users who change phone numbers or lose access to their original device.

Potential Friction for Existing Users and How to Set Up a Passkey

The phase-out could disrupt users who currently rely on SMS verification for their Microsoft accounts. Those without a passkey or verified secondary email will need to set one up before SMS support is fully discontinued. Users on older devices that don't support passkey storage may have to use a password manager that supports passkeys or switch to a verified email recovery method.

Microsoft has not set a deadline for when users must move away from SMS authentication, but the company has emphasized its goal of improving security standards through secure-by-default experiences.

To prepare for the eventual removal of SMS, users can set up a passkey for their Microsoft account by following Microsoft's official instructions. This process supports creating passkeys on Windows 11, Android, iOS, and macOS devices, with the passkey synchronized through the user's preferred storage method.

Additionally, verified secondary email addresses can be added via account security settings as a backup recovery option.

Thank you for being a Ghacks reader. The post Microsoft Phasing Out SMS Authentication Codes for Personal Accounts in Favor of Passkeys appeared first on gHacks.