Microsoft is officially moving away from SMS-based authentication for personal accounts as the company pushes users toward passkeys, authenticator apps, and passwordless sign-in methods.
In a newly updated support advisory, Microsoft confirmed it will gradually stop using SMS codes for account authentication and recovery on personal Microsoft accounts. The company stated that “SMS-based authentication is now a leading source of fraud,” citing growing risks tied to phishing attacks, SIM swapping, and mobile-based account takeovers.
The change affects Microsoft consumer accounts used across services such as Outlook, OneDrive, Xbox, and Windows. Users who currently rely on text-message verification codes for two-factor authentication will increasingly be encouraged to switch to passkeys, verified email recovery methods, or the Microsoft Authenticator app.
Microsoft has not yet announced a final deadline for completely removing SMS verification support. However, reports indicate the company has already started limiting SMS sign-in options for newly created personal accounts while actively promoting passwordless alternatives through Windows 11 and Microsoft account login prompts.
The company described passkeys as a more secure authentication method because they rely on cryptographic credentials stored directly on user devices rather than one-time codes transmitted over mobile networks. Passkeys typically use device-based authentication systems such as fingerprints, facial recognition, or PIN verification.
Security researchers have long warned that SMS authentication presents significant risks. SIM-swapping attacks allow criminals to hijack phone numbers by tricking mobile carriers into transferring a victim’s number to attacker-controlled devices. Once successful, attackers can intercept authentication codes and bypass account protections.
Microsoft’s move reflects a broader industry shift away from SMS-based two-factor authentication. Companies including Google, Apple, and several major financial institutions have increasingly adopted passkeys and hardware-based authentication systems as part of wider passwordless security initiatives.
Despite the security advantages, some users have expressed concerns about relying entirely on passkeys and device-based authentication systems. Critics argue that users who lose access to trusted devices may face account recovery difficulties if backup methods are not properly configured.
Microsoft said users should add multiple recovery methods to their accounts before SMS verification is fully phased out. The company recommends enabling authenticator apps, backup email addresses, and passkeys to reduce the risk of lockouts and improve account security.