Microsoft SMS sign-in phasing out marks a significant turning point in how millions of users will authenticate their accounts. The company is systematically moving away from SMS-based sign-in and multifactor authentication, replacing them with passwordless methods like passkeys and the Microsoft Authenticator app. This shift reflects a broader industry recognition that SMS codes, despite their ubiquity, are fundamentally weak from a security perspective.
Key Takeaways
- Microsoft is ending SMS-based sign-in in favor of passkeys and passwordless authentication methods
- SMS codes are vulnerable to SIM swap, interception, delivery delays, and phishing attacks
- Microsoft Authenticator app and FIDO2 security keys are the recommended replacements
- The transition affects both personal Microsoft accounts and enterprise Entra deployments
- Frontline workers and organizations can still use SMS temporarily, but it is no longer recommended
Why Microsoft Is Killing SMS Codes
SMS-based authentication has a well-documented vulnerability problem. Messages can be intercepted, SIM cards can be swapped by attackers, and delivery times are unpredictable—all weaknesses that phishing campaigns actively exploit. Microsoft’s own documentation acknowledges these flaws and explicitly discourages SMS as a primary authentication method. The company has been pushing users away from SMS toward stronger alternatives for years, but this transition marks the formal end of SMS sign-in as a supported option.
The shift is not arbitrary. Passkeys and hardware security keys offer what SMS cannot: phishing resistance. A passkey is cryptographically bound to a specific service, making it impossible for attackers to trick users into authenticating to a fake login page. SMS codes, by contrast, are generic one-time passwords that work on any site claiming to be Microsoft. An attacker who intercepts an SMS code can use it immediately. That fundamental difference explains why Microsoft is making this change now.
What Users Need to Switch To
Microsoft is promoting three main alternatives: the Microsoft Authenticator app, passkeys, and FIDO2 security keys. The Authenticator app is the easiest transition for most users—it sends push notifications to your phone instead of relying on SMS, and it integrates smoothly with Windows and mobile devices. Passkeys are the long-term direction, storing authentication credentials locally on your device and syncing them across platforms via cloud backup. FIDO2 keys are the most secure option for users who want a dedicated hardware device.
For enterprise customers, Microsoft Entra SMS-based sign-in was designed primarily for frontline workers and is not recommended for information workers. Organizations can still enable SMS temporarily through the Entra admin center, but Microsoft’s guidance is clear: this is a transitional method, not a permanent solution. The company has already started rolling out automated prompts during sign-in that encourage users to set up Microsoft Authenticator instead.
Who This Change Actually Affects
The transition creates real friction for certain groups. Users without smartphones, people in regions with unreliable cellular networks, and small business owners who rely on SMS as their primary verification method will need to adapt. Microsoft’s documentation indicates that SMS sign-in availability is organization-dependent and can be controlled by administrators, meaning some users may lose access to SMS sign-in on a schedule set by their IT department.
The broader implication is that SMS authentication is becoming a legacy technology. As Microsoft, Google, Apple, and other major platforms move away from it, the entire ecosystem shifts. Users who have relied on SMS for years will need to learn new authentication habits. That adjustment period is inevitable, but it is worth the security gain—SMS interception, SIM swapping, and SIM cloning are real threats that passkeys and hardware keys eliminate entirely.
The Bigger Picture: Passwordless Is the Future
This change is part of a larger industry trend toward passwordless authentication. Microsoft has been vocal about its belief that the future of security is passwordless, user-friendly, and resistant to phishing. Passkeys achieve all three: users do not type passwords, they approve sign-in attempts on their device, and the cryptographic binding to each service prevents phishing attacks from working.
The transition will not happen overnight. Microsoft support documentation shows that SMS sign-in setup is still possible through the Entra admin center, meaning organizations and individual users will have a window to migrate. But the direction is unmistakable. Microsoft is betting that the inconvenience of switching authentication methods now is far smaller than the security risk of maintaining SMS sign-in indefinitely.
How to Set Up Microsoft Authenticator Instead
For users switching from SMS, the Microsoft Authenticator app is the quickest replacement. The setup process is straightforward: add the Microsoft Authenticator app to your phone, sign in with your Microsoft account, and enable push notifications. When you sign in from a new device, the app sends a notification to your phone asking you to approve or deny the attempt. You tap approve, and you are signed in—no codes to type, no SMS delays.
Passkeys offer a more seamless experience once set up but require a bit more initial configuration. You create a passkey through your Microsoft account settings, and it gets synced to your cloud backup. On subsequent sign-ins, Windows or your mobile device recognizes the passkey and authenticates automatically. For users with multiple devices, this is significantly faster than SMS codes.
Is This Change Mandatory?
Not immediately. Microsoft is phasing out SMS sign-in gradually, and the company has not announced a hard deadline for complete removal. However, the writing is on the wall. If you still rely on SMS codes for your Microsoft account, switching to Microsoft Authenticator or passkeys now will save you from being forced to migrate later under pressure. Organizations that still use SMS for authentication should plan their transition sooner rather than later.
What happens if I do not set up a passwordless method?
Microsoft will eventually require it. The company is already sending automated prompts to users during sign-in, encouraging them to enable Microsoft Authenticator. If you ignore these prompts, you may eventually lose access to SMS sign-in when Microsoft completes the phase-out. Setting up an alternative authentication method now prevents disruption later.
Can I still use SMS if my organization allows it?
Yes, for now. Microsoft Entra administrators can still enable SMS sign-in for their organization through the Entra admin center, and some organizations may maintain SMS as a fallback option for specific scenarios. However, Microsoft explicitly recommends against this for information workers and plans to deprecate SMS entirely. Relying on SMS as a long-term solution is not advisable.
Is passkey authentication really more secure than SMS?
Absolutely. Passkeys are cryptographically bound to the specific service you are signing into, which means they cannot be used on a phishing site even if an attacker tricks you into visiting a fake login page. SMS codes are generic and work on any site that requests them, making them vulnerable to phishing. Additionally, passkeys cannot be intercepted or stolen via SIM swap attacks, which are common ways attackers compromise SMS-based accounts.
Microsoft’s move away from SMS sign-in is overdue. SMS codes have been a security liability for years, and the company is finally taking decisive action to phase them out in favor of genuinely secure alternatives. For users, the message is clear: switch to Microsoft Authenticator or passkeys now, and you will avoid the chaos of being forced to migrate later. The future of authentication is passwordless, and Microsoft is pushing everyone toward it—whether they are ready or not.
Edited by the All Things Geek team.
Source: TechRadar
