- Microsoft says it will phase out SMS authentication and recovery due to increasing risk of fraud
- The company is switching to passwordless methods like access keys and verified email for account security
- Researchers have warned of browser-based flaws in access key workflows, but SMS remains widely criticized as insecure for 2FA
Windows 11 will soon no longer be able to authenticate or restore your Microsoft account via SMS, after the company revealed it is phasing out the feature.
In a new announcement published on Microsoft’s website, the company said it will begin phasing out SMS because “SMS-based authentication is now a leading source of fraud.”
It did not provide a specific timeline for when the phase-out could be completed, but instead emphasized that “the future of authentication is passwordless, secure and user-friendly.”
Are passkeys really that superior to passwords?
“By moving to accounts without passwords, access keys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more hassle-free,” the guidance reads.
Access keys work differently than passwords and OTP secrets. Instead of typing something you might forget or steal, a passkey uses a pair of cryptographic keys: one stored on the device and one stored by the service.
When a user logs in, the device proves it has the right key using things like a fingerprint, face scan, or device PIN. The actual secret key never leaves the device, making access keys more secure against phishing and data leaks.
They have been touted as a more superior solution that after decades will finally “kill” the password.
However, not everyone agrees – in 2025, SquareX researchers presented new findings that claim that the very browsers that rely on managing access key workflows can be exploited in ways that bypass their protections.
“Passport keys are a very reliable form of authentication, so when users see a biometric prompt, they take it as a signal of security,” SquareX researcher Shourya Pratap Singh said at the time. “What they don’t know is that attackers can easily fake access key registrations and authentication by intercepting the access key workflow in the browser. This puts virtually any enterprise and consumer application, including critical banking and data storage apps, at risk.”
In any case, phasing out SMS for any form of authentication is commendable. For years, security researchers have warned that SMS should not be used for 2FA or any other form of authentication, as SIM switching has made it quite easy to take over people’s accounts and wreak havoc.
Via Windows Latest
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
