Data Card
Microsoft begins phasing out SMS codes for personal account sign-in and recovery
Microsoft began phasing out SMS-based verification codes for personal account sign-in and recovery, steering users toward passkeys, authenticator apps, and hardware security keys.
2026-05-19CC-BY-4.0passkeyspasswordlessaccount-recovery
About
Key Facts
- The shift is intended to reduce exposure to SIM-swapping and other telecommunications-channel attacks.
- Microsoft is positioning FIDO2-compliant passkeys and hardware-backed methods as the preferred recovery and authentication baseline.
- The move extends passwordless authentication pressure from enterprise environments into consumer account recovery.
Card Text
This is a broad signal for authentication markets because account recovery has often remained dependent on weaker SMS channels even after primary login flows moved toward passkeys or authenticator apps.