Microsoft Is Eliminating SMS Codes for Two-Factor Authentication

Credit: PixieMe/Shutterstock

Table of Contents

If you have a Microsoft account that uses SMS for two-factor authentication, you may soon have to choose a more secure method for logging in. As reported by Windows Latest, the company is ditching text-based authentication codes for personal accounts, stating that these are "now a leading source of fraud." Users will be prompted to set up a passkey instead.

Microsoft is trying to eliminate passwords

Microsoft has already started moving toward a password-less environment—last year, the company made passkeys the default on new accounts at setup. Now, it is phasing out SMS codes for 2FA and account recovery in favor of passkeys, authenticator apps, and verified backup email addresses.

SMS codes are quick to set up and convenient to use. However, they are also among the least secure forms of multi-factor authentication (MFA), as they are highly susceptible to phishing and SIM swapping attacks. Authenticator apps (which generate temporary codes that change every 30 seconds) may be slightly better, but the best MFA option is one based on WebAuthn credentials, like biometrics and passkeys.

Passkeys use your device's built-in authentication, such as a face scan, fingerprint scan, or PIN. They can also be synced across devices via password management services. Once you've established your passkey, you can authenticate logins anywhere using one of those methods on your trusted device. Passkeys can't be phished or stolen, and they only work on the legitimate domain they're made for (so they won't prompt you to authenticate if you're trying to log into a spoofed site). They also require that your trusted device be physically close to the device you're logging in on, so they can't be used to access your accounts remotely.

While there doesn't appear to be a set date for cutting off SMS authentication, Microsoft users should expect to make this transition to an alternative method soon.