UMVA has learned that Microsoft is set to retire SMS‑based verification for account logins, pushing users toward the next‑generation security of passkeys.
For years, a six‑digit code delivered by text message has been the go‑to method for confirming a Microsoft identity. Now that safety net is being pulled, and the clock is ticking for anyone still relying on it.
Passkeys replace a single, easily guessed password with a duo of cryptographic keys: one sealed inside your device and protected by biometrics or a PIN, the other stored by the service you’re accessing. Both halves must converge for a login to succeed, making theft virtually impossible.
This shift is more than a convenience upgrade; it’s a decisive strike against fraud. Microsoft has openly labeled SMS authentication as “a leading source of fraud,” underscoring the urgency to migrate.
While Microsoft has not disclosed an exact shutdown date, the warning that the change will happen “soon” leaves no room for complacency. Users should prioritize configuring passkeys now to avoid being locked out.
For those operating in environments where passkeys seem impractical—such as virtual machines—a clear solution has yet to emerge. Microsoft’s resolve to enforce passkey use suggests future workarounds may be on the horizon, but the timeline remains uncertain.