Microsoft wants to kill SMS logins for good

The familiar “enter the code we just texted you” experience may soon disappear from personal Microsoft accounts. The company is quietly shifting users away from SMS verification and toward passkeys, authenticator apps, and verified email recovery instead.

Microsoft says the reason is that text message security has become a weak link. SMS codes are vulnerable to phishing, social engineering, and SIM-swap attacks, where criminals steal a victim’s phone number to intercept login codes. In Microsoft’s view, passwords and text messages belong to an older internet era that attackers already know how to exploit.

The replacement is passkeys, a system that uses your device itself as proof of identity. Instead of typing a password and waiting for a code, users authenticate with fingerprints, facial recognition, or a device PIN. Microsoft describes it as both safer and more seamless, since nothing sensitive is being sent through text messages.

The transition has already started quietly. New Microsoft accounts are no longer consistently offered SMS recovery options, and users are increasingly seeing prompts encouraging them to switch to passkeys under banners like “Sign in faster”.

Not everyone is thrilled. While passkeys improve security, critics argue they can become awkward in real-world use, especially for people changing multiple devices, operating systems, or temporary logins. What used to take a phone number and a quick text can now involve QR codes, device syncing, or ecosystem-specific workarounds.

Still, Microsoft appears fully committed to the change. The company has spent months pushing a broader “passwordless” strategy across Windows 11 and its online services.