Microsoft plans to end SMS two-factor authentication, potentially setting the pace for a passwordless Windows 11 future: "SMS as MFA is horribly vulnerable on multiple fronts."

Microsoft quietly announced that it will stop sending SMS codes for authentication and account recovery on personal Microsoft accounts, replacing them with more secure options like passkeys, authenticator apps, and verified email addresses.

"Microsoft believes that the future of authentication is passwordless, secure, and user-friendly," the company indicated when clarifying why it's phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts (via Windows Latest).

The company says SMS-based authentication is "a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless."

It is still unclear when Microsoft plans to completely phase out SMS codes for Microsoft account sign-in, as it's not outlined in the security advisory documentation highlighting the change.

I understand that in the current setup for new Microsoft accounts, SMS codes are no longer offered as a viable option for authentication or account recovery on personal accounts.

However, you’ll likely start seeing “Sign in faster” prompts encouraging you to create a passkey for authentication and sign-in verification, replacing SMS-based codes. Microsoft highlights several advantages of passkeys over SMS, including:

• Improved security: Passkeys are phishing-resistant and eliminate the risk of fraud. 
• Faster sign-in: No more waiting for SMS codes - sign in instantly with passkeys utilizing biometrics or device PIN, or through utilizing one-click sign-in options using Apple and Google accounts.
• Reduced risk: SMS is one of the most targeted vectors for account takeover. Moving away from it significantly reduces exposure. 
• Better account recovery: Verified email and passkeys ensure users can recover access even if they change phone numbers or lose devices. 

The company is fronting passkeys as the better, faster, and more secure option for authentication and account recovery on personal Microsoft accounts because they provide a "phishing-resistant way" to sign in using your device's built-in authentication, like Face ID, fingerprint, or PIN.

What's more, the Microsoft account sign-in recently received a major update, adding passkeys with device biometric authentication — "making phishing virtually impossible."

In comparison, SMS authentication is susceptible to malicious phishing and SIM-swap attacks by bad actors. It's worth noting that you'll still be able to recover your Microsoft account even if your phone is lost or stolen, with a verified email and passkey as alternative recovery options.

I decided to visit X and Reddit to get a feel of how the community is receiving the change and the measures it is taking to adapt. "Good move," a user indicated on Reddit. "SMS as MFA is horribly vulnerable on multiple fronts."

"Passkeys have one HUGE problem: they are limited to a single device," another user indicated on X. "Using an account across devices with a passkey is a nightmare. Yes, there are workarounds with QR codes, but really clumsy compared to a username and password."

Over the past few months, Microsoft has taken elaborate measures to make Windows 11 better and improve user sentiment. Some of these efforts include reducing where Copilot and its integrations appear in the operating system.

Additionally, Microsoft insiders are also fighting to drop Windows 11's mandatory Microsoft Account requirements during setup, potentially as part of the company's broader Windows K2 initiative.

Join us on Reddit at r/WindowsCentral to share your insights and discuss our latest news, reviews, and more.