Microsoft says cu l8r to text message security

On-Prem

Old, busted, insecure authentication to be replaced with something shinier and safer

Microsoft has confirmed that SMS is on the way out as a method of authentication and recovery for personal Microsoft accounts.Fraud and dubious security were cited as reasons for the move: "SMS authentication is vulnerable to phishing and SIM-swap attacks." Passwordless accounts, passkeys, and verified email are the future, according to Microsoft.The announcement was first spotted by WindowsLatest and comes as passkeys are increasingly accepted as a default authentication standard. In April 2026, the UK's National Cyber Security Centre officially endorsed the technology and urged consumers to adopt it.

For its part, Microsoft has promoted the use of passkeys for more than a year, declaring in 2025 that all new Microsoft accounts would be passwordless by default.

As such, the days of SMS as a method of authentication and account recovery have been numbered for some time, and Microsoft's announcement confirms that users will be directed elsewhere. However, it did not state when it will pull the plug on the technology once and for all.

Microsoft says cu l8r to text message security

Other newsrooms on this story

Related reading

Microsoft is pulling the plug on SMS codes, wants you to switch to passkeys

Microsoft dice addio agli SMS e punta tutto sulle passkey per l'accesso a…

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

Microsoft Authenticator: Critical vulnerability allows token theft

Microsoft Authenticator: Kritische Sicherheitslücke ermöglicht Token-Diebstahl

The New Phishing Click: How OAuth Consent Bypasses MFA