Microsoft is moving to eliminate text-message login codes for personal accounts, pushing users instead toward passkeys and verified email addresses.
The change affects anyone with a personal Microsoft account, which can include access to Outlook, OneDrive, Windows, Xbox, and Microsoft 365, according to Fox News. Microsoft has not listed a universal cutoff date for every personal account. However, it says users who still rely on SMS will be guided to add a verified email and set up a passkey.
The company says SMS authentication has become a major source of fraud. Text messages can be intercepted, stolen through SIM-swap scams, or captured through phishing attacks. In a SIM-swap scam, a criminal calls a phone carrier and attempts to transfer a victim's number to a different SIM card, gaining control of any codes sent to that number. Phishing attacks work differently: a fake Microsoft login page asks a user to enter their code, which a scammer can then use immediately.
Because a Microsoft account can connect to email, cloud storage, saved payment details, and other services, a single compromised login can create significant damage. Once inside, a criminal may read email, reset passwords on other accounts, or access private files stored in the cloud.
A passkey replaces the traditional password with something tied directly to a user's device. That can be a face scan, fingerprint, device PIN, or a physical security key. The system uses cryptography, with one part stored with Microsoft and the other remaining on the user's device. That structure makes it much harder for a remote attacker to steal credentials without physical access to the device itself.
Text-message codes were widely adopted as an improvement over passwords alone and helped make account logins safer for many years. Security experts have increasingly flagged their weaknesses as criminal methods have grown more sophisticated.
Microsoft has not specified a firm date by which all personal accounts must transition away from SMS codes.
