Microsoft Phasing Out SMS Verification: Everything You Need to Know About Passkeys

Microsoft has announced it will soon remove SMS-based verification for personal Microsoft accounts, urging users to switch to passkeys. This change, which follows a year-long push requiring passkeys for new accounts, aims to enhance security and reduce fraud. Passkeys offer a more secure alternative to both passwords and SMS codes, using biometric authentication and unique keys. Below, we answer the most pressing questions about this transition.

1. What is Microsoft doing with SMS verification?

Microsoft is phasing out the option to receive a six-digit code via SMS for account logins, as reported by Windows Latest. The company plans to remove SMS verification entirely for personal Microsoft accounts, pushing users to adopt passkeys. While no concrete timeline has been given beyond “soon,” this move aligns with Microsoft’s broader strategy of eliminating weaker authentication methods. If you still rely on text message codes, you should start planning your migration now.

2. Why is Microsoft moving away from SMS codes?

SMS-based authentication has long been a target for attacks like SIM swapping, where hackers trick carriers into porting your number to their device. Microsoft explicitly states that “SMS-based authentication is now a leading source of fraud.” Unlike passkeys, SMS codes are not tied to your physical device’s hardware security, making them vulnerable to interception. The company aims to reduce risks by enforcing a stronger, phishing-resistant method that leverages biometrics and local encryption.

3. What exactly is a passkey and how does it work?

A passkey is not a single secret like a password but a cryptographic pair: one key stays on your device (protected by facial recognition, fingerprint, or PIN), and the other is held by the service you’re logging into, such as Microsoft. Both keys are required to authenticate. When you log in, your device proves possession of the private key without ever sending it over the network—this prevents theft and phishing. Unlike passwords, passkeys are unique per service, cannot be reused, and resist online guessing attacks.

4. How do I set up a passkey for my Microsoft account?

Setting up a passkey is straightforward. Go to your Microsoft account’s security settings and look for the “Passkey” or “Windows Hello” options. On a compatible device (Windows 10/11 with TPM 2.0, iPhone, or Android), you can create a passkey using Face ID, fingerprint, or PIN. Follow the on-screen prompts to register your device. Once created, you can use the passkey to sign in without entering a password or SMS code. For detailed steps, see our earlier guide on passkey setup for Microsoft accounts.

5. When will SMS verification be removed? Is there a deadline?

Microsoft has not announced a specific date or deadline. The phase-out will begin “soon,” according to the company. Given that passkeys have been mandatory for new accounts since a year ago, the removal of SMS for existing users should come as no surprise. To avoid being locked out or losing access, you should switch to a passkey as soon as possible, even if you still have the SMS option for now.

6. What if I can’t use a passkey? (e.g., on a virtual machine)

Microsoft has not yet clarified how logins will work for scenarios where passkeys are unavailable, such as on a virtual machine, inside a remote desktop, or on a device without biometric hardware. As of now, the company appears committed to enforcing passkeys, so it’s likely they will provide alternative methods like security keys (FIDO2) or authenticator app codes. However, until an official resolution is announced, users in such situations should keep an eye on Microsoft’s updates and consider alternative authentication options.

7. Why are passkeys considered more secure than passwords?

Passkeys are phishing-resistant by design because the private key never leaves your device. Even if a hacker tricks you into visiting a fake login page, they can’t capture your passkey. With passwords, a single set of characters can be stolen or guessed. SMS codes add a layer, but they can be intercepted via SIM swaps or network attacks. Passkeys also eliminate the problem of weak or reused passwords and provide a smoother user experience. Combined with biometrics, they offer a high level of security that is both convenient and robust.

Further reading: I was a passkey skeptic. Now I’m a believer