Microsoft Phases Out SMS Authentication for All Accounts

Microsoft is officially phasing out SMS authentication and account recovery as an option from everyone's personal Microsoft account. The change directly affects Xbox accounts as well. The company states that SMS-based authentication is now a leading source of fraud.

Instead of receiving texts with a six-digit code to prove identity during sign-in, Microsoft is directing users toward other methods such as passkeys. These allow sign-in using Face ID, fingerprints and PIN numbers. Many people already rely on the Microsoft Authenticator app for their Xbox accounts, and the company indicates this will continue to function as normal.

"Microsoft is committed to advancing security standards and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts," the company said. "Microsoft believes that the future of authentication is passwordless, secure, and user-friendly. SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless."

SMS authentication is vulnerable to phishing and SIM-swap attacks. Microsoft is replacing it with passkeys and verified email for better protection and convenience. Passkeys provide a modern, phishing-resistant way to sign in using a device's built-in authentication such as Face ID, fingerprint or PIN. They are described as faster and more secure than passwords or SMS codes.

Recent updates to Microsoft account sign-in now support passkeys with device biometric authentication, making phishing virtually impossible. The official Microsoft Support website offers details on protecting a Microsoft account. Users are advised to check the Security section of their Microsoft account dashboard to review current settings.

Xbox owners have occasionally lost access to digital game libraries after accounts were hacked. The company recommends reading the "How to help keep your Microsoft account secure" page on its website to improve settings and avoid potential fraud. The shift underscores Microsoft's commitment to passwordless authentication across personal accounts.