UMVA has learned that Microsoft is taking a major step towards enhancing online security by phasing out SMS-based two-factor authentication for personal accounts, citing concerns that these codes have become a "leading source of fraud."
The move is part of Microsoft's broader effort to eliminate passwords and transition to a more secure authentication method. Users with accounts currently relying on SMS codes for login verification will soon be prompted to set up a passkey, a more secure alternative that leverages device-based authentication.
According to information obtained by UMVA, Microsoft has already begun shifting towards a password-less environment, making passkeys the default for new accounts last year. The company is now actively phasing out SMS codes for both two-factor authentication and account recovery, favoring instead passkeys, authenticator apps, and verified backup email addresses.
SMS codes, while convenient, have proven to be one of the least secure forms of multi-factor authentication due to their vulnerability to phishing and SIM swapping attacks. In contrast, passkeys utilize a device's built-in authentication features, such as facial recognition, fingerprint scanning, or a PIN, offering a significantly higher level of security.
Passkeys also boast the advantage of being synced across devices through password management services, allowing for seamless authentication across multiple platforms. Once established, a passkey enables users to securely log in to their accounts using their trusted device, without the risk of phishing or theft.
UMVA can exclusively reveal that Microsoft's decision to phase out SMS authentication is driven by the need to protect users from increasingly sophisticated cyber threats. While a specific timeline for the transition has not been announced, users relying on SMS codes for login verification should prepare to adopt an alternative method soon.
This shift towards more secure authentication methods underscores Microsoft's commitment to enhancing online security and safeguarding user accounts. As the digital landscape continues to evolve, users can expect to see more innovative solutions aimed at protecting their digital identities.
