In a recent announcement from Microsoft, it says that it is discontinuing a feature, SMS codes for account sign-in, which allows its users to sign into its applications against fraud and risk. The announcement went on to state that Windows 11 will soon be unable to authenticate or retrieve your Microsoft account by SMS.
Microsoft stated in a recent post on its website that it will begin phasing out SMS since “SMS-based authentication is now a leading source of fraud.”
It emphasized that the “future of authentication is passwordless, secure, and user-friendly,” but it did not specify when the phase-out may be finished.
Accessing the passkeys and SMS codes, do passkeys truly outperform passwords?
The advice states, “We’re helping you stay ahead of evolving threats while making account access simpler and more seamless by moving to passwordless accounts, passkeys, and verified email.”
OTP secrets and passwords function differently than passkeys. A passkey makes use of two cryptographic keys, one saved on the device and one stored on the service, instead of inputting something that could be lost or stolen.
The device uses a fingerprint, a facial scan, or a device PIN to verify that it has the correct key when a user logs in. Passkeys are more resistant to phishing and data leaks because the real secret key never leaves the device.
They have been hailed as an improved solution that will eventually “kill” the password after decades.
Not everyone agrees, though; SquareX researchers reported new discoveries in 2025 that assert the very browsers used to control passkey workflows can be attacked in ways that go around their security.
“When users see a biometric prompt, they take that as a signal for security because passkeys are a highly trusted form of authentication,” SquareX researcher Shourya Pratap Singh stated at the time. They are unaware that by intercepting the passkey workflow in the browser, attackers can readily falsify passkey registrations and authentication. This risks almost every consumer and business application, including vital data storage and financial apps.
Either way, it’s commendable that SMS is being phased out for authentication. Security experts have cautioned for years that SMS should not be used for 2FA or any other type of authentication because SIM-swapping has made it very simple to take control of people’s accounts and cause chaos.
SMS-based authentication is being abandoned because text messages are sent in plaintext, making them vulnerable to interception, man-in-the-middle attacks, and SIM hijacking. In contrast, passkeys offer stronger security through device-bound public-key cryptography and local biometrics, which never leave the user device, while also providing resilient account recovery via verified fallback emails and synced passkeys, ensuring access even if you lose your phone or switch carriers.
If a user doesn’t already have a passkey, Windows 11 and Microsoft services will soon prompt the user to set one up during sign-in, while verified secondary emails will remain available as a fallback option for situations where biometrics can’t be used, such as when setting up a temporary virtual machine or a new PC. Additionally, a user can securely store and sync their Microsoft passkeys through Microsoft Password Manager, which is expanding its cross-platform support via Microsoft Edge.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
