Microsoft finally ends using SMS codes for account sign-in — with passkeys officially taking over

News
By published

"Passkeys are phishing-resistant and eliminate the risk of fraud," Microsoft said.

Passkeys
(Image credit: Shutterstock)
  • Microsoft says it will phase out SMS authentication and recovery due to rising fraud risks
  • The company is shifting toward passwordless methods like passkeys and verified email for account security
  • Researchers have warned of browser‑based flaws in passkey workflows, but SMS remains widely criticized as unsafe for 2FA

Windows 11 will soon no longer be able to authenticate or recover your Microsoft account via SMS after the company revealed it is phasing out the feature.

In a new advisory published on the Microsoft website, the company said it will start phasing out SMS because “SMS-based authentication is now a leading source of fraud.”

It did not give a specific timeline when the phase-out might complete, but instead stressed that the “future of authentication is passwordless, secure, and user-friendly.”

Latest Videos From

Are passkeys really that superior to passwords?

“By moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless,” the advisory reads.

Passkeys work differently than passwords and OTP secrets. Instead of typing something you can forget or steal, a passkey uses a pair of cryptographic keys: one stored on device and one stored by the service.

When a user logs in, the device proves it has the right key using things like a fingerprint, a facial scan, or device PIN. The actual secret key never leaves the device, making passkeys more secure against phishing and data leaks.

They have been touted as a more superior solution that will, after decades, finally “kill” the password.

However, not everyone agrees - in 2025, SquareX researchers presented new findings which claim the very browsers relied upon to manage passkey workflows can be exploited in ways that bypass their protections.

“Passkeys are a highly trusted form of authentication, so when users see a biometric prompt, they take that as a signal for security,” SquareX researcher Shourya Pratap Singh said at the time. “What they don’t know is that attackers can easily fake passkey registrations and authentication by intercepting the passkey workflow in the browser. This puts pretty much every enterprise and consumer application, including critical banking and data storage apps, at risk.”

In any case, phasing out SMS for any form of authentication is worthy of praise. For years now, security researchers have warned that SMS should not be used for 2FA or any other form of authentication, since SIM-swapping has made it quite easy to take over people’s accounts and wreak havoc.

Via Windows Latest

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.