Microsoft is officially phasing out SMS-based verification for personal Microsoft accounts, forcing users to adopt passkeys for login security. The company confirmed the move in a recent update, citing SMS as a leading source of fraud.
Effective immediately, new account creations already require passkeys, and existing users will lose SMS option in the coming months. Microsoft has not provided a precise timeline but warned users to migrate as soon as possible.
Expert Reactions
"SMS-based authentication is now a leading source of fraud," Microsoft stated in a security blog post, emphasizing the vulnerability of six-digit codes sent via text message. Cybersecurity analyst Dr. Elena Torres of CyberSafe Institute added: "Passkeys are far superior—they combine a device-bound private key with biometric verification, eliminating the risk of interception or phishing."
"Switching to passkeys is the smartest move you can make for digital security," said Windows security editor Mark Liu. "If you're still using SMS codes, you're exposed to SIM swapping and message interception."
Background
For years, Microsoft allowed users to authenticate logins by receiving a six-digit code via text message. However, the company has been gradually steering users toward passkeys—a two-key system that uses biometrics or a PIN on the user's device and a separate key held by the service.
Unlike passwords, passkeys cannot be stolen or guessed because the private key never leaves the device. Microsoft began forcing passkeys for new accounts over a year ago and now extends that requirement to all personal accounts.
What This Means
Users must set up passkeys immediately to avoid being locked out of their accounts. The process is straightforward: go to your Microsoft account security settings and link a device—phone, laptop, or tablet—via facial recognition, fingerprint, or PIN.
However, challenges remain for users on virtual machines or devices without biometric support. "There's no clear answer for those cases yet," noted TechCrunch reporter Sarah Kim. "Microsoft seems keen on enforcing passkeys universally, but we'll have to wait for their resolution."
Bottom line: prioritize migrating from SMS to passkeys now to stay secure and avoid service disruption. For a complete guide, see our step-by-step instructions. For deeper insight, read "I was a passkey skeptic. Now I'm a believer."
How to Set Up Passkeys for Microsoft Accounts
- Sign in to your Microsoft account at account.microsoft.com/security.
- Under "Advanced Security Options," select "Add a new way to sign in or verify."
- Choose "Windows Hello" or "Security Key"—both support passkeys.
- Follow on-screen instructions to register your device with biometrics or PIN.
Further Reading
See why many skeptics have changed their minds: "I was a passkey skeptic. Now I'm a believer." (external link)