Microsoft Drops SMS Auth for Personal Accounts, Embraces Passkeys

Microsoft Phases Out SMS Authentication for Personal Accounts

According to recent reports, Microsoft has announced plans to discontinue the use of SMS-based authentication codes for personal Microsoft accounts. This move is part of the company's broader strategy to enhance account security and reduce reliance on less secure methods.

The Shift to Passkeys

Instead of SMS codes, Microsoft will be promoting passkeys—a more secure and user-friendly authentication method. Passkeys use cryptographic keys stored on devices, making them resistant to phishing and SIM-swapping attacks. Users will be able to sign in using biometrics (like fingerprints or facial recognition) or a device PIN.

What This Means for Users

For existing users who rely on SMS for two-factor authentication (2FA) or account recovery, Microsoft will provide guidance on transitioning to passkeys or other alternative methods like authenticator apps. The change is expected to roll out gradually, giving users time to adapt.

Why the Change?

SMS-based authentication has long been criticized for its vulnerabilities, including interception via SS7 protocol exploits and SIM-swapping. By moving to passkeys, Microsoft aims to offer stronger protection against these threats, aligning with industry trends toward passwordless authentication.

How to Prepare

Users are encouraged to set up passkeys via the Microsoft Authenticator app or their device's built-in security features. Microsoft will also continue to support other 2FA methods, such as authenticator apps and hardware security keys, ensuring flexibility for users.

This shift underscores Microsoft's commitment to improving security for personal accounts, following similar moves by other tech giants like Google and Apple.