- Microsoft says it will phase out SMS authentication and recovery due to rising fraud risks
- The company is shifting toward passwordless methods like passkeys and verified email for account security
- Researchers have warned of browser‑based flaws in passkey workflows, but SMS remains widely criticized as unsafe for 2FA
Windows 11 will soon no longer be able to authenticate or recover your Microsoft account via SMS after the company revealed it is phasing out the feature.
In a new advisory published on the Microsoft website, the company said it will start phasing out SMS because “SMS-based authentication is now a leading source of fraud.”
It did not give a specific timeline when the phase-out might complete, but instead stressed that the “future of authentication is passwordless, secure, and user-friendly.”
Are passkeys really that superior to passwords?
“By moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless,” the advisory reads.
Passkeys work differently than passwords and OTP secrets. Instead of typing something you can forget or steal, a passkey uses a pair of cryptographic keys: one stored on device and one stored by the service.
When a user logs in, the device proves it has the right key using things like a fingerprint, a facial scan, or device PIN. The actual secret key never leaves the device, making passkeys more secure against phishing and data leaks.
They have been touted as a more superior solution that will, after decades, finally “kill” the password.
However, not everyone agrees - in 2025, SquareX researchers presented new findings which claim the very browsers relied upon to manage passkey workflows can be exploited in ways that bypass their protections.
“Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” SquareX researcher Shourya Pratap Singh said at the time. “What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser. This puts pretty much every enterprise and consumer application, including critical banking and data storage apps, at risk.”
In any case, phasing out SMS for any form of authentication is worthy of praise. For years now, security researchers have warned that SMS should not be used for 2FA or any other form of authentication, since SIM-swapping has made it quite easy to take over people’s accounts and wreak havoc.
Via Windows Latest
