Microsoft Ends SMS Codes for Personal Accounts, Mandates Passkeys as Fraud Risks Rise
Updated
Updated · WindowsLatest · May 19
Microsoft Ends SMS Codes for Personal Accounts, Mandates Passkeys as Fraud Risks Rise
6 articles · Updated · WindowsLatest · May 19
Microsoft said personal account users will no longer receive 6-digit SMS codes for two-factor authentication or account recovery, and will instead be pushed to set up passkeys, authenticator apps and a verified backup email.
The shift is driven by security: Microsoft called SMS-based authentication a leading source of fraud, citing interception risks on cellular networks and SIM-swap attacks that can hand attackers control of verification codes.
Passkeys tie sign-ins to device biometrics or a local PIN through cryptographic keys that stay on the device or sync through services such as iCloud Keychain and Google Password Manager, making phishing far harder.
Microsoft said users will soon see prompts to sign in with their face, fingerprint or PIN, though the forced move may create edge-case problems in virtual machines and other setups without biometric hardware or security keys.
The change formalizes a broader passwordless push across the Windows ecosystem, replacing a long-standard fallback that had remained common because SMS codes were simple and nearly universal.
Microsoft is killing SMS codes for security, but what happens when you lose the one device that holds all your digital keys?
As passkeys replace passwords, are less tech-savvy users being left behind in the name of security?
Passkeys are hailed as the future, but could syncing them across devices create a new single point of failure?
Microsoft Phases Out SMS Codes by May 2026—A Complete Guide to Passkeys and Secure Account Recovery
Overview
Microsoft will phase out SMS codes as the main way to sign in and recover personal accounts by May 2026, responding to growing security threats. This move aims to better protect Windows 11 and user accounts from fraud and vulnerabilities. Instead of SMS, Microsoft is guiding users to set up stronger authentication methods, such as passkeys and verified backup email addresses. Passkeys offer a major security upgrade by using cryptographic keys—one stored on your device and one with Microsoft—making them much safer than traditional passwords or SMS codes. Users will soon see prompts to help them make this transition.