In brief: Despite dating back to 1993 and the GSM era, SMS codes remain fully active across authentication and identity verification workflows. Microsoft is among the bigger tech players pushing to retire the option entirely, offering customers a set of modern, more secure alternatives – though whether users will embrace the change or resist their SMS-ridden habits remains to be seen.

Microsoft has confirmed that SMS-based authentication and account recovery for personal accounts is on its way out. The company argues that plaintext SMS codes are no longer fit for purpose in secure authentication, particularly now that stronger alternatives are widely available across Windows and mobile platforms.

Redmond had signaled the shift earlier this year, and is now formalizing it through an updated support page.

The company characterizes SMS-based authentication as an active security liability, citing how cybercriminals increasingly exploit plaintext mobile messages to run fraud campaigns. SMS authentication is also susceptible to phishing, SIM-swapping, and other sophisticated attack vectors.

Also check out: Are Passwords Dead? What Are Passkeys, and Why Everyone's Talking About Them

In its place, Microsoft is steering users toward passwordless accounts, passkeys, and verified secondary email addresses. Passkeys are the clear priority – an allegedly phishing-resistant authentication method that becomes significantly harder to "crack" when paired with hardware biometrics or a device PIN.

Signing in with a passkey also eliminates the wait for SMS codes, which have a well-documented reputation for unreliability. On the account recovery side, passkeys and verified email addresses offer a more resilient fallback, especially for users who change phone numbers or lose access to their original device.

In practical terms, Microsoft is going to phase out SMS authentication with a redesigned authentication experience. When the user tries to sign in, the company will provide a new option to "sign in faster" after creating an on-device passkey. Microsoft's instructions include several passkey options, such as the ability to save the newly created key in password managers, smartphones, or Windows Hello's biometric hardware.

Microsoft is framing passkeys as an unambiguous upgrade over legacy mobile authentication that would render decades-old SMS tech obsolete. That said, the phase-out may create friction for users who still rely on traditional SMS verification in their day-to-day workflows.

In any case, Redmond says it "is committed to advancing security standards through secure by default experiences," adding that passkeys and verified (secondary) emails will help customers "stay ahead" of evolving threats.