Microsoft is moving away from SMS-based authentication for personal accounts as part of its broader passwordless security strategy. The company plans to gradually phase out text-message verification codes used for sign-ins and account recovery across Microsoft services.
Microsoft says SMS authentication no longer provides strong enough protection against modern cyber threats. Instead, the company wants users to adopt passkeys, authenticator apps, and other phishing-resistant security methods.
Microsoft Plans to Phase Out SMS Verification Codes
Microsoft confirmed that it will begin removing SMS verification codes for personal Microsoft accounts. The changes affect authentication and recovery systems connected to services like Outlook, Windows, Xbox, and Microsoft 365.
According to Microsoft, SMS-based authentication has become a major source of fraud and account compromise. Attackers frequently target text-message verification systems through phishing campaigns, SIM-swapping attacks, and social engineering schemes.
The company now plans to shift users toward passkeys, verified email recovery systems, and authenticator applications instead of traditional SMS codes. Microsoft said the transition will happen gradually rather than through an immediate shutdown.
Microsoft Continues Expanding Passwordless Security
The company has spent several years expanding passwordless authentication across its ecosystem. Microsoft increasingly promotes passkeys as the preferred sign-in method because they provide stronger protection against phishing and credential theft.
Passkeys allow users to authenticate directly through trusted devices using biometrics, PIN verification, or hardware security systems. Unlike SMS codes, passkeys do not rely on mobile carrier networks that attackers may intercept or hijack.
Microsoft also claims passwordless authentication improves usability by removing the need to remember passwords or wait for text-message delivery. The broader strategy aligns with growing industry efforts to replace traditional passwords and weaker two-factor authentication systems.
Security Experts Have Warned About SMS Risks
Cybersecurity researchers have criticized SMS authentication for years because text messages remain vulnerable to interception and fraud. SIM-swapping attacks, malware infections, and telecom-based phishing operations continue targeting SMS verification systems across major online platforms.
Attackers often attempt to hijack phone numbers by convincing mobile carriers to transfer control of accounts to fraudulent SIM cards. Once attackers gain access to a victim’s phone number, they can intercept login codes and bypass account protections.
Security experts increasingly recommend phishing-resistant authentication methods like passkeys and hardware-based security keys instead of SMS-based systems.
Some Users May Face Transition Challenges
Despite the security benefits, the move away from Microsoft SMS codes may create usability concerns for some users. Passkeys and authenticator systems often depend on smartphones, biometric features, or newer devices that not all users regularly use or fully trust.
Some privacy advocates and enterprise administrators have also raised concerns about relying heavily on device-based authentication systems tied to major technology ecosystems.
Microsoft says multiple recovery and authentication methods will remain available during the transition period to help users adapt to the new security model.
Conclusion
Microsoft is phasing out SMS codes for personal account sign-ins and recovery as the company expands its passwordless authentication strategy. The company believes passkeys, authenticator apps, and verified recovery systems provide stronger protection against modern cyber threats.
The decision also reflects a broader industry shift away from SMS-based security methods that researchers increasingly view as outdated and vulnerable. As phishing-resistant authentication becomes more common, major technology companies continue moving users toward passwordless sign-in systems.
0 responses to “Microsoft SMS Codes Are Being Phased Out for Sign-Ins”