Microsoft is pulling the plug on SMS codes, wants you to switch to passkeys

IN BRIEF: Despite dating back to 1993 and the GSM era, SMS codes remain fully active across authentication and identity verification workflows. Microsoft is among the bigger tech players pushing to retire the option entirely, offering customers a set of modern, more secure alternatives – though whether users will embrace the change or resist their SMS-ridden habits remains to be seen.

Microsoft has confirmed that SMS-based authentication and account recovery for personal accounts is on its way out. The company argues that plaintext SMS codes are no longer fit for purpose in secure authentication, particularly now that stronger alternatives are widely available across Windows and mobile platforms.

Redmond had signaled the shift earlier this year, and is now formalizing it through an updated support page.

The company characterizes SMS-based authentication as an active security liability, citing how cybercriminals increasingly exploit plaintext mobile messages to run fraud campaigns. SMS authentication is also susceptible to phishing, SIM-swapping, and other sophisticated attack vectors.

Also check out: Are Passwords Dead? What Are Passkeys, and Why Everyone's Talking About Them

Microsoft is pulling the plug on SMS codes, wants you to switch to passkeys

Other newsrooms on this story

Related reading

Microsoft says cu l8r to text message security

Other newsrooms on this story

Related reading

Microsoft says cu l8r to text message security

Microsoft dice addio agli SMS e punta tutto sulle passkey per l'accesso a…

What are passkeys? The end of the password era explained

Microsoft Phone Link abused to steal SMS OTPs from enterprise PCs

What is a passkey, how does it work and why is it better than a password?

Microsoft Authenticator: Critical vulnerability allows token theft