- Microsoft says it will phase out SMS authentication and recovery due to increased fraud risks
- The company is adopting passwordless methods such as passcodes and verified emails for account security.
- Researchers have warned of browser-based flaws in passkey workflows, but SMS is still widely criticized for being insecure for 2FA
Windows 11 will soon no longer be able to authenticate or recover your Microsoft account via SMS after the company revealed that it is phasing out the feature.
In a new notice posted on Microsoft’s website, the company said it will begin phasing out SMS because “SMS-based authentication is now a significant source of fraud.”
He did not give a specific timeline for when the removal might be completed, instead emphasizing that “the future of authentication is passwordless, secure and easy to use.”
Are passcodes really that superior to passwords?
“By moving to accounts without passwords, passcodes, and verified email, we help you stay ahead of evolving threats while making account access simpler and seamless,” the notice reads.
Access keys work differently than OTP passwords and secrets. Instead of typing something that you might forget or steal, a passkey uses a pair of cryptographic keys: one stored on the device and one stored by the service.
When a user logs in, the device proves it has the correct key using things like a fingerprint, facial scan, or device PIN. The actual secret key never leaves the device, making passcodes more secure against phishing and data leaks.
They have been touted as a superior solution that, after decades, will finally “kill” the password.
However, not everyone agrees: In 2025, SquareX researchers presented new findings claiming that the same browsers used to manage passcode workflows can be exploited in ways that bypass their protections.
“Passwords are a highly reliable form of authentication, so when users see a biometric message, they take it as a security signal,” SquareX researcher Shourya Pratap Singh said at the time. “What they don’t know is that attackers can easily spoof passkey registration and authentication by intercepting the passkey workflow in the browser. This puts virtually every business and consumer application at risk, including critical banking and data storage applications.”
In any case, the phasing out of SMS for any form of authentication is commendable. For years now, security researchers have warned that SMS should not be used for 2FA or any other form of authentication, as SIM swapping has made it quite easy to take over people’s accounts and wreak havoc.
Through latest Windows
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
