Microsoft starts scrapping 2FA SMS codes.
getty
Microsoft has confirmed it is starting to phase out SMS as a method of authentication, as well as account recovery, for all personal Microsoft accounts. If you use SMS as your primary 2FA code delivery mechanism, you had better pay attention and change to something else as soon as possible to prevent login problems down the line.
The short message service has been the default text protocol to send messages between mobile devices for the longest time. But all bad things come to an end, and SMS is truly that as far as security is concerned. That’s what so many people have moved to using encrypted messaging platforms such as WhatsApp and Signal. It’s also why Microsoft has announced that it is scrapping the use of two-factor authentication codes sent using SMS for logging into personal Microsoft accounts.
Microsoft Explains Why It Is Scrapping SMS Authentication
“SMS-based authentication is now a leading source of fraud,” Microsoft has said, “and by moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more seamless.”
That fraud comes in many guises, from attacks targeting senior citizens to SMS pumping attacks that target phone bills, but the type of fraud that Microsoft is addressing with this change is directed at account authentication. It doesn’t take a tech genius to realize that transmitting 2FA codes in plain text, using cellular networks, is hardly the most secure method to do so. Interception and SIM-swap attacks are just two of the risks. But that doesn’t really matter; what does is that there are many more secure methods of receiving 2FA codes, by way of an authenticator app, for example, and many more secure methods for logging in, such as a passkey. There really is no need to be using SMS anymore, especially when those other methods are as easy, if not easier, to use. Microsoft itself has now said that it “believes that the future of authentication is passwordless, secure, and user-friendly.”
Microsoft Says Personal Account Users Should Move To Passkeys
Microsoft has confirmed that users signing in to a personal account will be “guided through a simple process to add a verified email and set up a passkey,” so they can both log in and recover the account without using SMS. It is not yet clear what the timeline is for phasing out SMS codes altogether, but I would recommend making the change now to stay on top of things and, it must be said, to improve your security posture at the same time. You can also find out more and register a passkey here.
Once you have done so, there will be no more waiting around for those SMS codes to arrive on your smartphone, as signing in with a passkey is pretty much instant; just use your device’s biometrics or PIN. Passkeys are also highly phishing-resistant, while maintaining ease of use even when recovering an account. “Passkeys ensure users can recover access even if they change phone numbers or lose devices,” Microsoft confirmed. So, what are you waiting for?
