Microsoft is killing SMS codes on consumer Microsoft accounts. Passkeys take over by December.

Microsoft confirmed on Tuesday that it will stop accepting SMS codes as a sign-in or account-recovery factor on personal Microsoft accounts. “SMS-based authentication is now a leading source of fraud,” the company’s advisory reads. Phaseout starts now; full deprecation lands by December.

The change covers every consumer surface that runs on a Microsoft Account: Windows 11 sign-in, Outlook.com, OneDrive, Xbox, the consumer Microsoft 365 family plans, and Edge profile sync. Enterprise Entra ID tenants are not in scope; admins keep their existing MFA options. For everyone else, the phone number is moving from a credential to a contact field.

What changes, and when

Microsoft is rolling the deprecation in two phases, per Windows Latest’s coverage. New consumer accounts created from this week onward can’t add SMS as a security method at all. Existing accounts will see SMS auto-disabled as soon as the account has a stronger factor already configured. By December 2026, SMS is gone for every consumer scenario, including emergency recovery.

The acceptable replacements are passkeys, the Microsoft Authenticator app generating TOTP codes, or a verified secondary email. Windows 11’s first-run experience already nudges users toward passkey setup; the new policy upgrades that nudge to a requirement during account creation.

The reasoning, in Microsoft’s own advisory quoted by Cybernews: “SMS-based authentication is now a leading source of fraud.” Windows Central puts a sharper version of the same point in its piece: “SMS as MFA is horribly vulnerable on multiple fronts.” Both of those phrasings are unusually direct for Microsoft, and that’s the part of the announcement that matters. The company is no longer pretending SMS is acceptable.

Why SMS finally has to go

SMS two-factor was always a bridge. It defeated the dumbest credential-stuffing attacks but never survived a determined attacker. The three failure modes have been documented for years: SIM-swap attacks at the carrier, SS7 exploitation of the underlying telephony network, and straightforward phishing kits that intercept the code after the user types it. Carriers tightened their swap procedures after the 2019 Twitter CEO incident, but criminal pricing for a port-out attack is still under $200 in most markets.

The replacement, passkeys, fixes the phishing leg specifically. A passkey is a FIDO2 credential bound to the website’s origin: the device will only return it to the domain that created it, so an attacker-controlled login page can’t trick the user into authenticating. Microsoft Authenticator covers the legacy SIM-swap protection without phishing-resistance. Verified email is the floor, useful for recovery but weaker than either of the other two.

For a developer reading this, the implication is that the floor for a Microsoft Account login is now equivalent to the recent Google and Apple defaults. The three big consumer identity providers have effectively converged on FIDO2 plus app-based TOTP as the baseline, and that convergence is what makes the phishing-kit economy harder to operate at scale.

What’s still unclear

Microsoft has not yet published a per-region timeline. The U.S. and EU should track the December cutoff cleanly; markets with poor smartphone penetration or where passkey support is thin may get a quiet extension. The advisory does not address what happens for users whose only recovery option today is SMS and who never set up an email or authenticator, beyond saying that those users will be prompted to add a method “well before” the cutoff.

The other open thread is the consumer Authenticator app itself. Microsoft retired the password-manager feature in Authenticator earlier this year, narrowing the app to authentication. Whether the team plans to broaden it back out, or push passkey storage into Edge and the operating system, isn’t spelled out in this week’s announcement.

What this means for you

If you sign into anything Microsoft with your phone number and a code, set up at least one of the three alternatives this week. The order to do it in: passkey first, because it’s the strongest and is now the default; Microsoft Authenticator second, for accounts where you don’t want a synced credential; verified email third, only as a recovery fallback.

If you administer a fleet of consumer-tier Microsoft accounts, this affects the Microsoft 365 Family plan that many small offices and households use. Audit which family-plan accounts still have SMS as the only second factor, and seed a passkey before December. Edge on Windows 11, Chrome with the Google Password Manager, 1Password, and Bitwarden all sync passkeys across devices; pick whichever one matches your existing password manager.

If you’re shipping a consumer product that still relies on SMS OTP for second factor, the floor just moved. The three platform providers running the world’s identity stack have all now said the same thing out loud. SMS as MFA was always vulnerable; it’s now also visibly behind the platform default. Match it or explain why not.