Microsoft said it is phasing out SMS-based authentication and account recovery for personal Microsoft accounts, citing fraud, phishing, SIM-swapping, and delivery delays as key reasons for the change. Updated support guidance says users will be moved toward passwordless sign-in with passkeys and verified secondary email addresses, reflecting a broader industry retreat from SMS as a security control.
The company has begun rolling out a redesigned sign-in experience that encourages users to choose a "sign in faster" option and create a passkey backed by device biometrics or a PIN. Microsoft said passkeys can be stored on devices, in password managers, or through Windows Hello-compatible hardware across Windows 11, Android, iOS, and macOS, but it has not given a final cutoff date for SMS, meaning users who still rely on texted codes will need to set up a passkey or verified backup email before the transition is completed.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft began rolling out recent sign-in updates for personal accounts that support passkeys and prompt users to create one through a redesigned flow such as a "sign in faster" option. The changes support passwordless sign-in using device biometrics or PIN across supported platforms.
Microsoft said it will stop using SMS for authentication and account recovery on personal Microsoft accounts, citing fraud, phishing, SIM-swapping, and delivery reliability issues. The company directed users toward passkeys and verified secondary email addresses instead.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cysecurity.news
Open sourceghacks.net
Open sourcetechradar.com
Open sourcesupport.microsoft.com
Open sourcesupport.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.