If you have a Microsoft account that uses SMS for two-factor authentication, you may soon have to choose a more secure method to log in. Reported by Windows LatestThe company is removing text-based authentication codes for personal accounts, saying these are “now a major source of fraud.” Instead users will be prompted to set a passkey.
Microsoft is trying to eliminate passwords
Microsoft has already started moving toward a password-less environment — last year, the company made the passkey the default on new accounts at setup. Now, it’s phasing out SMS codes for 2FA and account recovery in favor of passkeys, authenticator apps, and verified backup email addresses.
SMS codes are quick to set up and convenient to use. However, they are one of the least secure forms of multi-factor authentication (MFA), as they are highly vulnerable to phishing and SIM swapping attacks. Authenticator apps (which generate temporary codes that change every 30 seconds) may be slightly better, but the best MFA option is based on biometrics and WebAuth credentials like a passkey.
Passkeys use your device’s built-in authentication, such as a face scan, fingerprint scan, or PIN. They can also be synced across devices through password management services. Once you’ve established your passkey, you can authenticate logins anywhere using one of those methods on your trusted device. Passkeys can’t be phished or stolen, and they only work on legitimate domains for which they’re created (so they won’t prompt you to authenticate if you’re trying to log in to a fake site). They also require that your trusted device be physically close to the device you’re logging in to, so they can’t be used to access your accounts remotely.
What do you think so far?
Although there does not appear to be a set date for SMS authentication to be turned off, Microsoft users should expect this change to an alternative method soon.
