microsoft has announced that it will discontinue SMS-based authentication and account recovery for personal Microsoft accounts. The company updated its supporting documentation to reflect this change, having previously hinted at the change earlier this year. In the future, SMS codes will be replaced by access keys, passwordless accounts, and verified secondary email addresses.
While Microsoft has not set a specific date for the transition, it is introducing a redesigned authentication process that encourages users to set up a passcode during login.
Why Microsoft is phasing out SMS codes for personal accounts and what it recommends instead
Microsoft considers SMS-based authentication a security risk. The company notes that attackers can leverage plain text mobile messages for fraud, phishing and SIM swapping. Additionally, SMS authentication faces reliability issues as codes sometimes do not arrive or arrive late.
This change brings Microsoft in line with a broader industry trend away from SMS two-factor authentication, which security organizations like NIST have recommended stopping use for several years.
When users sign in to a Microsoft account, they’ll notice a new option called “sign in faster” that creates a passkey on the device. Access keys are cryptographic credentials that authenticate the user without the need for a password or SMS code. They are linked to a specific device and can be unlocked using biometrics or a device PIN.
Microsoft’s guide explains several ways to store access keys. Users can save the passkey in a password manager, store it on a smartphone for cross-device authentication, or use Windows Hello biometric hardware for local access.
Account recovery is changing to rely on verified secondary email addresses. Microsoft claims these are more resilient than SMS for users who change phone numbers or lose access to their original device.
Potential frictions for existing users and how to set up a passcode
The phaseout could affect users who currently rely on SMS verification for their Microsoft accounts. Those who do not have a password or verified secondary email will need to set one up before SMS support is completely discontinued. Users of older devices that do not support passkey storage may need to use a password manager that supports passkeys or switch to a verified email recovery method.
Microsoft has not set a deadline for users to abandon SMS authentication, but the company has emphasized its goal of improving security standards through secure experiences by default.
To prepare for the eventual removal of SMS, users can set up a passcode for their Microsoft account by following Microsoft’s official instructions. This process supports creating passkeys on Windows 11, Android, iOS, and macOS devices, with the passkey synced through the user’s preferred storage method.
Additionally, verified secondary email addresses can be added through account security settings as a backup recovery option.
