Microsoft Phases Out SMS Authentication for Personal Accounts
Severity: Medium (Score: 51.9)
Sources: Theregister, support.microsoft.com, Extremetech
Published: · Updated:
Keywords: microsoft, personal, authentication, accounts, security, method, recovery
Summary
Microsoft has announced the discontinuation of SMS codes for personal account authentication and recovery, citing security vulnerabilities such as phishing and SIM-swap attacks. The company is transitioning to passwordless authentication methods, including passkeys and verified email, to enhance security and user experience. This change affects all personal Microsoft account users, aiming to reduce fraud risks associated with SMS-based methods. Users will be guided to create passkeys during the login process, which utilize biometrics or device PINs for secure access. The UK’s National Cyber Security Centre has endorsed passkeys as a standard, indicating a broader industry shift. Microsoft has been implementing passwordless accounts since 2025, making this announcement a formal confirmation of a trend already in progress. The exact timeline for the complete removal of SMS authentication has not been disclosed. Key Points: • Microsoft is ending SMS authentication for personal accounts due to security vulnerabilities. • Users will transition to passwordless methods, including passkeys and verified email. • The UK’s National Cyber Security Centre has endorsed passkeys as a standard.
Detailed Analysis
**Impact** Personal Microsoft account users globally are affected by the discontinuation of SMS-based authentication and account recovery. This change impacts millions of users who rely on SMS codes for sign-in and recovery, increasing security by reducing exposure to phishing and SIM-swap attacks. Business and operational consequences include the need for users to adopt new authentication methods, potentially affecting user experience and support demand. No specific sectors or geographies beyond personal account holders were detailed. **Technical Details** The primary attack vectors targeted are phishing and SIM-swap attacks exploiting SMS-based authentication. Microsoft is replacing SMS with passwordless authentication methods including passkeys, verified email, and biometric device authentication, which are phishing-resistant. No malware, CVEs, or infrastructure details were provided. The transition affects the authentication and account recovery stages of the kill chain. No IOCs were mentioned. **Recommended Response** Defenders should prioritize transitioning users from SMS authentication to passkeys and verified email for account access and recovery. Organizations should educate users on setting up passkeys and using biometric authentication to reduce risk. Monitoring for phishing and SIM-swap attempts remains important during the transition period. No specific patches or detections were indicated in the articles.
Source articles (3)
- Microsoft To Stop Sending Sms Codes For Personal Accounts — support.microsoft.com · 2026-05-20
Microsoft is committed to advancing security standards and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts. Microsoft believes… - Microsoft Ditches SMS-Based 2FA Because It's Too Easy to Hack — Extremetech · 2026-05-20
Microsoft is phasing out SMS-based two-factor authentication ( 2FA ) and SMS one-time passwords (OTPs) for personal Microsoft accounts. Calling SMS-based logins "a leading source of fraud," the compan… - Microsoft says cu l8r to text message security — Theregister · 2026-05-20
Old, busted, insecure authentication to be replaced with something shinier and safer Microsoft has confirmed that SMS is on the way out as a method of authentication and recovery for personal Microsof…
Timeline
- 2025-01-01 — Microsoft begins passwordless account rollout: Microsoft announced that all new accounts would be passwordless by default, starting a shift in authentication methods.
- 2026-04-01 — UK endorses passkeys as authentication standard: The UK's National Cyber Security Centre officially recommended the adoption of passkeys for enhanced security.
- 2026-05-20 — Microsoft announces end of SMS authentication: Microsoft confirmed it will phase out SMS codes for personal accounts, promoting passkeys and verified email instead.
Related entities
- Phishing (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- CWE-287 - Improper Authentication (Cwe)
- T1566.002 - Spearphishing Link (Mitre Attack)
- T1566 - Phishing (Mitre Attack)