Microsoft Is Ditching SMS Codes for Two-Factor Authentication.
If you have a Microsoft account that uses SMS for two-factor authentication, you may soon have to choose a more secure sign-in method. As Windows Latest reports , the company is phasing out SMS authentication codes for personal accounts, stating that they are “currently a major source of fraud.” Users will be prompted to set a password.
Microsoft is trying to get rid of passwords.
Microsoft has already begun the transition to a passwordless environment—last year, the company made passwords the default key for new accounts during setup. Now, it’s gradually phasing out SMS codes for two-factor authentication and account recovery in favor of passwords, authenticator apps, and verified recovery email addresses.
SMS codes are quick to set up and easy to use. However, they are also one of the least secure forms of multi-factor authentication (MFA), as they are highly susceptible to phishing and SIM-swapping attacks. Authenticator apps (which generate temporary codes that change every 30 seconds) can be slightly better, but the best MFA option is authentication based on WebAuthn credentials, such as biometrics and passwords.
Passwords use your device’s built-in authentication methods , such as facial recognition, fingerprint scanning, or a PIN. They can also be synced across devices using password management services. Once you create a password, you can authenticate your login anywhere using one of these methods on your trusted device. Passwords are impossible to steal or obtain through phishing, and they only work on the legitimate domain for which they were created (so they won’t prompt you for authentication if you try to log in to a fake site). They also require your trusted device to be physically close to the device you’re logging in from, so they can’t be used to access your accounts remotely.
While an exact date for the end of SMS authentication has not yet been set, Microsoft users should expect to transition to an alternative method soon.