Microsoft phases out SMS login, mandates passkeys for stronger security
SMS authentication is unencrypted and vulnerable to SIM-swap attacks—Microsoft is killing it.
Microsoft is officially phasing out SMS-based authentication for personal Microsoft accounts, announcing the change on a new support page. The company argues that SMS messages lack end-to-end encryption, making them easy for hackers to intercept. Attackers commonly use SIM-swapping—tricking carriers into transferring a victim's phone number to a new SIM—to receive those texts and then take over accounts one by one. Microsoft calls SMS 'a leading source of fraud' and will instead prompt users to set up a passkey or add a verified email for both sign-in and account recovery.
Passkeys offer stronger protection by using your face, fingerprint, security key, or PIN—never a code sent over the open network. Because passkeys are device-specific, Microsoft recommends storing them in a password manager (e.g., 1Password, Google Password Manager, Apple Passwords, Bitwarden, or Microsoft's own Edge manager) or on a physical security key. Users on Windows can also use Windows Hello. Although the transition requires a few setup steps, Microsoft promises long-term gains in security and convenience. The article applauds the move and suggests other companies should follow.
- Microsoft is removing SMS as an authentication method for personal accounts due to lack of encryption and SIM-swap risks.
- Users will be guided to set up passkeys (biometric, PIN, or security key) or a verified email instead.
- Passkeys can be stored across devices via major password managers like 1Password, Bitwarden, or Microsoft's Edge Password Manager.
Why It Matters
Killing SMS eliminates a huge phishing and SIM-swap attack vector, forcing millions to adopt truly phishing-resistant passkeys.