Microsoft Begins Phasing Out SMS Authentication for Personal Accounts

Microsoft is preparing to remove SMS-based verification codes for personal Microsoft accounts, according to a new report from Windows Latest. The company plans to stop using text messages for two-factor authentication and account recovery as it pushes users toward passwordless sign-in methods.

The move comes as Microsoft continues warning that SMS authentication is no longer secure enough for modern cyber threats. The company says text messages have become a major target for fraud and account takeover attacks.

Microsoft says SMS authentication is no longer safe

SMS verification has remained one of the most common forms of two-factor authentication for years. However, Microsoft says the technology was never designed to handle today’s security challenges.

Attackers can intercept text messages, steal one-time passcodes, or use SIM-swap attacks to hijack phone numbers. Once a number is compromised, hackers can often bypass account protections and gain access to sensitive services.

The issue gained more attention recently after threat actors reportedly abused Phone Link-related weaknesses to steal OTP verification codes from users.

Microsoft now considers SMS authentication one of the weaker security options available for personal accounts.

Passkeys and authenticator apps will replace text messages

Instead of SMS codes, Microsoft wants users to rely on passkeys, authenticator apps, and verified backup email addresses.

Passkeys allow users to sign in using Windows Hello, facial recognition, fingerprints, or a device PIN. Unlike passwords or SMS codes, passkeys use cryptographic keys that stay stored locally on a trusted device.

The private key never gets shared with websites or transmitted across networks, which makes phishing and interception attacks far more difficult.

Microsoft says passkeys can also sync securely across ecosystems such as Apple iCloud Keychain and Google Password Manager.

Microsoft will start prompting users to switch

The company is expected to begin encouraging personal Microsoft account holders to configure passkeys and verify backup email addresses.

For many users, the transition could improve security without adding much friction. Signing in with biometrics or a PIN is usually faster than waiting for a text message code.

Still, some advanced users and testers may dislike the change. SMS codes often worked as a simple fallback option when authenticator apps failed or secondary devices were unavailable.

Microsoft joins a growing list of tech companies moving away from passwords and SMS-based security systems. The industry increasingly views passkeys as the long-term replacement for both passwords and text-message verification.

The shift could reduce phishing attacks and account hijacking attempts, but it also removes a familiar recovery method many users still depend on.