Microsoft says cu l8r to text message security

On-Prem

Old, busted, insecure authentication to be replaced with something shinier and safer

Microsoft has confirmed that SMS is on the way out as a method of authentication and recovery for personal Microsoft accounts.

Fraud and dubious security were cited as reasons for the move: “SMS authentication is vulnerable to phishing and SIM-swap attacks.” Passwordless accounts, passkeys, and verified email are the future, according to Microsoft.

The announcement was first spotted by WindowsLatest and comes as passkeys are increasingly accepted as a default authentication standard. In April 2026, the UK’s National Cyber Security Centre officially endorsed the technology and urged consumers to adopt it.

For its part, Microsoft has promoted the use of passkeys for more than a year, declaring in 2025 that all new Microsoft accounts would be passwordless by default.

As such, the days of SMS as a method of authentication and account recovery have been numbered for some time, and Microsoft’s announcement confirms that users will be directed elsewhere. However, it did not state when it will pull the plug on the technology once and for all.

Dropping SMS is laudable, but users will still need to learn a new authentication method. Microsoft promises to guide them through it – offering options to sign in with or create a passkey at login – yet that transition may prove easier said than done. 

Passkeys also have challenges, most notably when used over multiple devices. In that instance, a synchronization tool or password manager can help, but users might not be familiar with these technologies.

Ultimately, SMS as a method of authentication and recovery for a Microsoft account is on the way out. For many security professionals, it is not a moment too soon. ®