Microsoft Is Eliminating SMS Codes for Two-Factor Authentication

Microsoft has begun phasing out SMS text messages as a method for two-factor authentication on Microsoft accounts. The company is pushing users toward passkeys and authenticator apps instead.

This change affects anyone logging into Microsoft services, including Outlook, OneDrive, Xbox, and Azure accounts. Users who currently rely solely on SMS codes for account verification will need to set up a different authentication method before SMS access disappears entirely.

Passkeys represent Microsoft's preferred alternative. These cryptographic credentials tie directly to your device and eliminate the need for passwords altogether. When you log in, your device confirms your identity without transmitting codes through text messages. Microsoft also accepts authenticator apps like Microsoft Authenticator, Google Authenticator, and Authy. These apps generate time-based codes on your phone rather than relying on carriers to deliver SMS messages.

The shift addresses real security gaps. SMS interception has become increasingly common. Hackers can perform SIM swaps to hijack your phone number and intercept text codes. They can also intercept SMS in transit through compromised carrier systems. Passkeys and authenticator apps avoid these vulnerabilities entirely since they don't depend on phone carriers or transmitted messages.

For most users, transitioning takes just a few minutes. You can add passkeys through your Microsoft account security settings on any trusted device. Alternatively, download an authenticator app, scan a QR code, and you're done. The authenticator approach works across all your devices and provides recovery codes in case you lose access.

Users with older devices or limited tech comfort may experience friction. Not every phone or browser supports passkeys yet. Authenticator apps remain widely compatible and serve as a middle ground. Microsoft is not eliminating passwordless sign-in options, just the least secure ones.

This follows similar moves by Apple, Google, and Meta. These companies recognize that SMS codes offer false confidence. Attackers routinely