Microsoft Ditches SMS-Based 2FA Because It's Too Easy to Hack

Microsoft is phasing out SMS-based two-factor authentication (2FA) and SMS one-time passwords (OTPs) for personal Microsoft accounts. Calling SMS-based logins "a leading source of fraud," the company now encourages users to use passkeys, the Microsoft Authenticator app, or a verified email to access their accounts on Windows, Microsoft Office, Xbox, and OneDrive.

For years, Microsoft's security leadership has warned that SMS and voice-based 2FA are among the weakest authentication methods. Criminals can abuse SIM-swap scams, intercept messages on a phone's network, or use social engineering to trick users into entering one-time codes on phishing sites. SMS messages also lack network encryption and can experience reliability issues.

On the other hand, Passkeys and app-based authentication rely on cryptographic keys and device-bound credentials, which make phishing and credential theft harder. Microsoft now promotes these methods as the default. For recovery, the company is also emphasizing verified email over text messages.

Users who currently rely on SMS for Microsoft login security will need to set up at least one of these alternatives. As far as timing goes, Microsoft's documentation says only that it will "start phasing out SMS as a method of authentication and account recovery," with no specified timeline.