SMS was never authentication, it was a phone call away from being bypassed. Microsoft just made it official.
Microsoft has confirmed it is phasing out SMS-based authentication and account recovery for all personal Microsoft accounts. The reason, stated plainly in their own advisory: “SMS-based authentication is now a leading source of fraud.” This affects every account tied to Windows, Outlook, Xbox, and OneDrive.
Why SMS authentication was always broken
Text messages were never designed to verify identity. They travel in plain text across cellular networks, making them vulnerable to interception. Worse, SIM-swap attacks where an attacker socially engineers your carrier into transferring your number to their device hand over every SMS one-time code instantly and silently.
The security industry has known this for years. NIST deprecated SMS-based OTP in 2016. Microsoft’s move is long overdue, but it sets a meaningful precedent for enterprise environments where SMS MFA is still considered “good enough.”
What replaces it
Microsoft is pushing three phishing-resistant alternatives:
- Passkeys: Device-bound cryptographic authentication using Windows Hello, biometrics, or a PIN. The private key never leaves your hardware, making remote phishing attacks impossible.
- Microsoft Authenticator app: TOTP-based app authentication, significantly harder to intercept than SMS.
- Verified backup email A secondary identity anchor for account recovery when no device is available.
What this means for IAM and security teams
If your organization still relies on SMS as an MFA factor for Microsoft 365, Azure AD, or any workforce identity flow, this is your forcing function to accelerate the move to phishing-resistant MFA. FIDO2 passkeys and authenticator apps are the direction every major identity provider is heading — Microsoft is just the loudest signal yet.
Audit your MFA enrollment policies now. Any user still on SMS-only MFA is one SIM swap away from a full account compromise.
Source: Windows Latest · Windows Central
Gabriel Magarino
Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.