By Jon Martindale
Publication Date: 2026-05-21 19:10:00
Microsoft is continuing its passkey push by moving away from SMS-based two-factor authentication for local account logins, citing its vulnerability to exploitation and fraud. Instead, it wants everyone to start using passkeys (and eventually, ditch passwords altogether).
Although text messages have proved a useful way to add an extra layer of security to account logins, they were never designed for this purpose. SMS messages are sent in plaintext, making them a vulnerable vector for man-in-the-middle and number spoofing attacks.
“Microsoft is committed to advancing security standards and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts,” Microsoft said in an official advisory. “SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and…
