Microsoft has made an announcement: it will gradually discontinue the SMS verification code service for personal Microsoft accounts. SMS verification codes, sent in plaintext and vulnerable to interception, along with security threats like SIM card swapping attacks, have emerged as a major avenue for online fraud. Consequently, Microsoft is vigorously advocating for passkeys as the default login method for personal accounts. Passkeys, built on the FIDO2 standard, offer a substantial security upgrade.

Currently, the adoption of passkeys within Microsoft is surging, with passwordless authentication boasting a 95% success rate and login speeds soaring by 14 times. For enterprise users, Microsoft Entra ID's support for passkeys has entered the public beta stage. Moreover, third-party password managers and Microsoft Password Manager both provide passkey functionality.

Microsoft has also commenced the phasing out of SMS and voice verification codes in enterprise settings. Organizations relying on outdated authentication methods must finish migrating administrative settings by September 30, 2026. Failing to do so will result in the discontinuation of the legacy verification process starting October 1.