Microsoft confirmed that SMS will be removed as an authentication and recovery method for personal Microsoft accounts. The change is driven by fraud and security concerns, including vulnerability to phishing and SIM-swap attacks. Microsoft positions passwordless sign-in as the future, emphasizing passkeys and verified email. The shift aligns with growing adoption of passkeys, including endorsement by the UK’s National Cyber Security Centre in April 2026. Microsoft has promoted passkeys for more than a year and stated that all new Microsoft accounts would be passwordless by default in 2025. Microsoft did not specify when SMS will be fully discontinued. Users will need to learn new sign-in options, and passkeys can be challenging across multiple devices without synchronization tools or password managers.
"Microsoft has confirmed that SMS is on the way out as a method of authentication and recovery for personal Microsoft accounts. Fraud and dubious security were cited as reasons for the move: "SMS authentication is vulnerable to phishing and SIM-swap attacks." Passwordless accounts, passkeys, and verified email are the future, according to Microsoft."
"For its part, Microsoft has promoted the use of passkeys for more than a year, declaring in 2025 that all new Microsoft accounts would be passwordless by default. As such, the days of SMS as a method of authentication and account recovery have been numbered for some time, and Microsoft's announcement confirms that users will be directed elsewhere. However, it did not state when it will pull the plug on the technology once and for all."
"Dropping SMS is laudable, but users will still need to learn a new authentication method. Microsoft promises to guide them through it - offering options to sign in with or create a passkey at login - yet that transition may prove easier said than done. Passkeys also have challenges, most notably when used over multiple devices."
"In that instance, a synchronization tool or password manager can help, but users might not be familiar with these technologies. Ultimately, SMS as a method of authentication and recovery for a Microsoft account is on the way out. For many security professionals, it is not a moment too soon."
Read at theregister
Unable to calculate read time
Collection
[
|
...
]