NEWS
Microsoft SMS Codes Exit Puts Recovery Burden on Users
Microsoft SMS codes are being phased out for personal Microsoft accounts, with passkeys, passwordless sign-in and verified secondary email taking their place. Microsoft has not published a final cutoff date, but Microsoft’s SMS phase-out notice says text messages will no longer be used for authentication or account recovery.
The security logic is strong. The friction lands on ordinary users who treated a mobile number as their last safety net for Outlook, Xbox, OneDrive, Microsoft 365 and Copilot accounts.
The Cutoff Without a Date
Microsoft’s move affects personal Microsoft accounts, not every business or school login managed by an employer. The company says it will start removing SMS as both a sign-in check and a recovery method, then steer users toward passkeys and verified email. The support page shows the likely prompt: a Sign in faster option that appears during login and asks the user to create a passkey.
The key detail for households and small offices is no final deadline. That makes the change easy to ignore until a login prompt appears on a phone, a laptop, a console or a browser session. Users who already have several recovery options may barely notice. Users who rely on one mobile number have work to do.
Microsoft says support agents cannot send password reset links or change account details for users. That warning matters because SMS used to feel like the fallback of last resort. Once it fades, recovery depends on what the account holder set up before trouble begins.
Why Phone Codes Became the Weak Link
SMS authentication solved an older problem: stolen passwords. A six-digit code sent to a phone was better than a password alone. Attackers adapted. Phishing kits ask for the code in real time, SIM-swap crews move a number to a new device, and delayed delivery can lock out legitimate users at the worst moment.
Microsoft now calls SMS-based authentication a leading source of fraud. That language lines up with guidance from the US National Institute of Standards and Technology, whose digital identity guidance for one-time passwords placed extra restrictions on SMS. The US Cybersecurity and Infrastructure Security Agency also treats phishing-resistant multifactor authentication as the stronger end state in its public guidance on stronger MFA.
- 7,000 per second: Microsoft said it blocked that many password attacks in its consumer passkey research.
- 98%: Microsoft reported passkey sign-in success at that rate, compared with 32% for passwords.
- 3x faster: The company said passkey sign-in was three times faster than a traditional password and eight times faster than a password plus traditional multifactor authentication.
Those figures come from Microsoft’s own security blog, so they should be read as product data from the vendor making the change. Even with that caveat, the pattern is clear: the account industry is trying to remove copyable secrets from the login flow.
Passkeys Move the Secret off the Network
A passkey works through public key cryptography, which means the service keeps one part of a key pair and the user’s device or credential manager keeps the private part. The private key is unlocked locally with a face scan, fingerprint, device PIN or security key. Microsoft described the model in its consumer passkey launch when it added support for Microsoft accounts across Windows, Google and Apple platforms.
The practical advantage is domain binding. A fake login page can trick someone into typing a password or text code. It cannot make the user’s device release a Microsoft passkey for the wrong website. The FIDO Alliance, the industry group behind Fast Identity Online standards, says passkeys replace passwords with cryptographic key pairs and can be synced or device-bound.
| Method | What the User Does | Main Weakness | Best Use Now |
|---|---|---|---|
| SMS code | Reads a text message and types the code | Phishing, SIM swap and delivery failure | Fallback only while still available |
| Authenticator code | Opens an app and enters a rotating code | Can still be phished if typed into a fake page | Better than SMS when passkeys are unavailable |
| Passkey | Uses face, fingerprint, PIN or a security key | Recovery depends on device and provider setup | Primary sign-in for accounts that support it |
| Verified email | Receives account recovery messages | Only as safe as the email account itself | Backup recovery path for Microsoft accounts |
That table hides the cultural shift. A phone number used to be treated as identity. A passkey treats the phone, laptop, password manager or hardware key as the identity anchor.
The Recovery Burden Shifts to the User
The hidden stakeholder is the person who never opens account security settings. Microsoft can improve the average login. It cannot automatically know whether a user’s old mobile number still works, whether their backup email is abandoned, or whether a passkey saved on one device will be reachable after that device is lost.
Microsoft’s passkey setup instructions for Microsoft accounts list several storage choices: Microsoft Password Manager, another synced credential manager, an iPhone or Android device, a physical security key, or Windows Hello on a local Windows device. The safest setup for most people is not one perfect method. It is one working recovery path that survives a lost phone.
- Check that the secondary email on the Microsoft account is active and protected with its own strong sign-in method.
- Create a passkey on the device used most often, then confirm where it was saved.
- Add a second method, such as a password manager or hardware security key, if the account protects important files or purchases.
- Review old phone numbers and remove numbers that no longer belong to the user.
- Test sign-in from a private browser window before traveling, selling a device or resetting a phone.
The backup email deserves special attention. Microsoft is making verified secondary email part of the replacement for SMS recovery. If that mailbox has a weak password or no multifactor authentication, the Microsoft account inherits that weakness.
Microsoft Has Been Training This Muscle for Two Years
This phase-out did not arrive from nowhere. Microsoft enabled passkeys for consumer accounts in May several years ago, then spent the next cycle changing how it nudges people during login. In a later security blog, Sangeeta Ranjit and Scott Bingham of Microsoft wrote that messages about speed and security performed better than softer ease-of-use language.
The company also said its initial redesigned sign-in experience produced a 10% drop in password use and a 987% increase in passkey use. That does not mean every user loved the change. It does explain why Microsoft is willing to push harder: defaults move behavior faster than account settings pages.
Another clue came from Microsoft Authenticator. Microsoft’s Authenticator autofill change notice says password autofill in the app was discontinued in mid-August after earlier steps stopped adding and autofilling passwords. Saved passwords and addresses moved toward Microsoft Edge, while Authenticator kept supporting Entra passkeys for work and school accounts.
Put together, the plan is visible. Microsoft Edge, Microsoft Password Manager, Windows Hello, Authenticator and Microsoft accounts are being arranged around passkeys as the normal path, not the expert option buried in settings.
Where This Will Hurt
The roughest cases are predictable. Older devices may not offer a smooth passkey prompt. Shared family machines can make it unclear whose biometric or PIN is tied to an account. People who manage accounts for parents or children may discover that the phone number on file belonged to a device replaced long ago.
Travel adds another risk. SMS was never ideal abroad, but it had one advantage: people understood it. A synced passkey can be easier when the same credential manager is already set up across devices. A device-bound passkey can be painful if the device is broken, wiped or left at home.
Security professionals will welcome the move because it cuts off a class of phishing attacks that depend on stealing reusable codes. Consumers will judge it by a different standard: whether they can still get into an account after a phone upgrade. If Microsoft times the prompts well and makes backup email checks clear, the transition will feel like a normal login upgrade. If users meet the change only during a recovery crisis, the support forums will fill before the security benefits are felt.
Frequently Asked Questions
Is Microsoft Removing SMS Codes for All Accounts?
Microsoft is phasing out SMS codes for personal Microsoft accounts, according to its support page. Work and school accounts can be governed by separate Microsoft Entra settings chosen by an organization.
Do I Need to Delete My Microsoft Password?
No. The current notice focuses on SMS authentication and recovery, not a forced password deletion for every personal account. Microsoft still encourages passwordless accounts and passkeys as the safer long-term setup.
Can I Still Recover My Account If I Lose My Phone?
Yes, but only if another recovery method is ready. Microsoft points users toward a verified email address and passkeys so recovery does not depend on the lost phone number.
Where Should I Save a Microsoft Passkey?
You can save a Microsoft passkey in Microsoft Password Manager, another synced credential manager, a phone, a physical security key or Windows Hello. The best choice is the one you can recover after replacing your main device.
Is an Authenticator App Still Useful?
Yes. Authenticator apps remain better than SMS in many cases, especially when passkeys are not available. A passkey is stronger against phishing because it is tied to the legitimate website or app.
When Will Microsoft Stop Sending SMS Codes?
Microsoft has not published a final cutoff date for personal accounts. Users should set up a passkey and verified email before the prompt becomes mandatory during sign-in or recovery.
Orbio Closes $21M From Dawn Capital to Scale AI Frontline Agents
Honda’s Electric Trial Bike Lands in the Top Five at TrialGP Japan
GTA 6’s November Launch Is Reshaping the 2026 Game Calendar
Qorelo Lands $3.5M Seed to Tackle SAP’s 2027 Migration Crunch
Italian Edtech Sirius Game Raises €1.3M to Scale Primary School Play
Bestie Bite Raises €1.5M to Take AI Video Reviews to the US
European Tech’s €2.8B Week Came With a US Acquirer Twist
Rainn Wilson Calls Out Media’s Double Standard on Platner
OnePlus N6 Confirmed for June 30 India Launch as First N-Series Phone
Munich Court: Google Liable for False Answers in AI Overviews
Zcash Patched a Double-Spend Bug as ZEC Climbed 5%
Steam Summer Sale 2026 Locks In June 25 to July 9 Dates
‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
Amazon Scraps Its Stargate Revival After a 20-Week Writers Room
Citigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
CLARITY Act Floor Vote Likely Shifts to August, Lummis Says
Coinbase Invests in Ethena, ENA Jumps 10% on Open-Market Buy
Gigaton Lands $26M to Replace Heavy Industry’s Control Stack
London AI Lab Inherent Raises $50m to Reinvent Science
Quobly’s €115M Bet to Scale Silicon Quantum Computing
-
FINANCE2 weeks ago
Zcash Patched a Double-Spend Bug as ZEC Climbed 5%
-
ENTERTAINMENT2 weeks ago
Steam Summer Sale 2026 Locks In June 25 to July 9 Dates
-
NEWS1 month agoMeta Adds AI Replies to Threads, But Users Can’t Block It
-
ENTERTAINMENT4 weeks ago
‘Widow’s Bay’ Review: Apple TV’s Sleeper Horror-Comedy Earns Its Fog
-
ENTERTAINMENT2 weeks ago
Amazon Scraps Its Stargate Revival After a 20-Week Writers Room
-
FINANCE2 weeks ago
Citigroup Says ETF Outflows Drove Bitcoin’s Crash, Not Strategy’s Sale
-
FINANCE2 weeks ago
CLARITY Act Floor Vote Likely Shifts to August, Lummis Says
-
FINANCE2 weeks ago
Coinbase Invests in Ethena, ENA Jumps 10% on Open-Market Buy