The topic Microsoft is scrapping SMS 2-factor authentication because it’s “a leading… is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
While having two-factor authentication (2FA) enabled is always safer than not having it, not all methods are equal. We’re used to the trusty SMS 2FA method, where a company sends you a text during the login process and asks you to enter a code. However, when a security measure goes on long enough without any major revamps, bad actors find ways to get around it.
While SMS 2FA was once a bastion of protection, it has now become one of the main attack vectors bad agents use to get into accounts. As such, Microsoft has announced that it’s scrapping SMS 2FA entirely, opting instead for email and passkey verification.
2FA over SMS isn’t just unreliable, it’s also a security risk.
As spotted by Windows Latest, Microsoft has published some documentation describing what it plans to do with 2FA moving forward. Titled “Microsoft to stop sending SMS codes for personal accounts,” the company explains its reasoning as to why it’s scrapping the method, and honestly, its reasoning sounds pretty valid:
Microsoft believes that the future of authentication is passwordless, secure, and user-friendly.
SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more seamless.
Microsoft isn’t lying when it says it’s focusing on scrapping the passwords. In fact, new Microsoft accounts don’t have them by default. By moving to verified emails and passkeys, the company is hoping to make life a lot harder for hackers.
Microsoft says that people who want to keep their accounts secure should create a passkey instead. This is a passwordless method where your device and the server you’re logging on to perform a ‘secret handshake’ that doesn’t require human intervention. This also means phishers cannot steal the password, because there is no password to steal in the first place.
If you want a secure and password-free sign in experience, consider using passkeys for security.