Microsoft Phases Out SMS Authentication Over Fraud Concerns

Microsoft is phasing out SMS-based authentication for personal Microsoft accounts as it builds toward a passwordless future. The company has identified SMS codes as a leading source of fraud, affecting both login processes and account recovery options for users who forget their passwords.

According to Microsoft, "SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless." The decision was reported via Windows Latest.

SMS codes sent via text to a phone have traditionally served as an authentication method during login or as a recovery tool. With the phase-out, these options will no longer be available for personal Microsoft accounts.

The shift leaves primarily passkeys as the alternative. These can take the form of a PIN but also include biometric passkeys such as face or fingerprint scans, which avoid the problem of forgetting sequences of characters.

This is not the first time Microsoft has stated its goal to completely ditch traditional passwords. The company is pitching passkeys as a faster, phishing-resistant way to log in because the method uses a device's local built-in authentication like Face ID, fingerprint or PIN.

SMS codes are displayed in plain text and sent over mobile networks that committed bad actors can breach. On-device authentication cuts out that vulnerable network, though the source notes security researchers have exposed how Windows Recall could be leveraged by bad actors. Device security should be maintained across the board.

No authentication measure is 100% secure. The changes may limit login options for forgetful users, as password managers cannot auto-fill before logging into the OS.

Expert Take: Cloud admins should assess passkey readiness in Microsoft environments now to reduce support load as SMS recovery options disappear and biometric methods expand.