Microsoft is officially killing SMS verification for personal accounts

For some time now, it has been possible to authenticate your Microsoft account logins by receiving a six-digit code via SMS. Windows Latest now reports that SMS verification will be removed soon.

It seems Microsoft wants users who still rely on SMS verification to now switch to passkeys. This comes as no surprise, however, given that Microsoft began mandating passkeys for new Microsoft accounts a year ago.

Unlike a password, which is just a unique set of characters that can be stolen or guessed by hackers, a password is actually a pair of two unique keys: one key stored on your device and protected by biometrics (i.e. facial recognition, fingerprints, or PINs), the other key held by the website, app, or service for which you created a user account. Both keys are required for a successful connection.

Switching to passwords is the smartest decision you can make for digital security, especially if you still use SMS codes. We’ve already covered why SMS passcodes aren’t secure (Microsoft clearly states that “SMS authentication is now a leading source of fraud”) and how to set up passwords for Microsoft accounts.

Unfortunately, Microsoft hasn’t given a concrete timeline for phasing out SMS authentication other than “soon.” As such, you’ll want to make it a priority and change as soon as possible.

What happens if you can’t use passwords, for example when trying to log in to Windows on a virtual machine? As of this writing, there is no clear answer. Microsoft seems to want to enforce passkeys and we can only wait to see how it resolves logins for cases without passkeys.

Further reading: I was a password skeptic. Now I’m a believer