Microsoft has announced that it will discontinue SMS-based authentication and account recovery for personal Microsoft accounts. The company has updated its support documentation to reflect this change, a move that was hinted at earlier this year. Going forward, SMS codes will be replaced with passkeys, passwordless accounts and verified secondary email addresses.
Although Microsoft hasn’t set a specific date for the transition, it is rolling out a redesigned authentication process that encourages users to set a passkey during sign-in.
Why Microsoft is phasing out SMS codes for personal accounts and what it recommends instead
Microsoft considers SMS-based authentication to be a security risk. The company notes that attackers can exploit plaintext mobile messages for fraud, phishing, and SIM swapping. Additionally, SMS authentication suffers from reliability issues, with codes sometimes not arriving or arriving late.
This change puts Microsoft in line with a broader industry trend away from SMS two-factor authentication, which security organizations like NIST have recommended rejecting for several years.
When users sign in to a Microsoft account, they’ll see a new option called “Sign in faster” that creates a passkey on the device. Passkeys are cryptographic credentials that authenticate a user without requiring a password or SMS code. They are tied to a specific device and can be unlocked using biometrics or a device PIN.
Microsoft’s guidance explains several ways to store passkeys. Users can save the passkey in a password manager, store it on a smartphone for cross-device authentication, or use Windows Hello biometric hardware for local access.
Account recovery is changing to rely on verified secondary email addresses. Microsoft says these are more flexible than SMS for users who change phone numbers or lose access to their original device.
Potential Friction and how to set up a passkey for existing users
The phaseout may disrupt users who currently rely on SMS verification for their Microsoft accounts. Those who do not have a passkey or verified secondary email will need to set one up before SMS support is completely discontinued. Users of older devices that do not support passkey storage may need to use a password manager that supports passkeys or switch to a verified email recovery method.
Microsoft hasn’t set a timeline for when users will need to move away from SMS authentication, but the company has emphasized its goal of improving security standards through secure-by-default experiences.
To prepare for the final deletion of SMS, users can set a passkey for their Microsoft account by following Microsoft’s official instructions. The process supports creating passkeys on Windows 11, Android, iOS, and macOS devices, with the passkey synchronized via the user’s preferred storage method.
Additionally, a verified secondary email address can be added as a backup recovery option through account security settings.
