Microsoft Phasing Out SMS Authentication Codes for Personal Accounts in Favor of Pass

[harlan4096]

Microsoft has announced that it will discontinue SMS-based authentication and account recovery for personal Microsoft accounts. The company updated its support documentation to reflect this change, having previously hinted at the move earlier this year. Going forward, SMS codes will be replaced with passkeys, passwordless accounts, and verified secondary email addresses.

While Microsoft has not set a specific date for the transition, it is introducing a redesigned authentication process that encourages users to set up a passkey during sign-in.

Why Microsoft Is Phasing Out SMS Codes for Personal Accounts And What It Recommends Instead

Microsoft considers SMS-based authentication a security risk. The company points out that attackers can exploit plaintext mobile messages for fraud, phishing, and SIM swapping. Additionally, SMS authentication faces reliability issues, with codes sometimes not arriving or arriving late.

This change puts Microsoft in line with a broader industry trend away from SMS two-factor authentication, which security organizations like NIST have recommended deprecating for several years.

When users sign into a Microsoft account, they will notice a new option called "sign in faster" that creates a passkey on the device. Passkeys are cryptographic credentials that authenticate the user without needing a password or SMS code. They are linked to a specific device and can be unlocked using biometrics or a device PIN.

Continue Reading...