Microsoft will discontinue SMS-based sign-in and account recovery for personal Microsoft accounts beginning in May 2026, replacing the long‑standing text message option with modern authentication methods including passkeys, authenticator apps, and verified email addresses. The change, confirmed in an updated support article spotted Tuesday, marks one of the most significant overhauls to Microsoft consumer account security since the company began pushing passwordless sign‑in for Windows 11.

For years, SMS codes have served as a ubiquitous second factor — and for many, the only fallback when passwords failed. But the technology’s well‑documented vulnerabilities, from SIM swapping to message interception, have prompted an industry‑wide retreat. Microsoft’s move follows similar decisions by Google (which now defaults to passkeys for all personal accounts) and Apple (which prompts users to enroll in passkeys during device setup).

The End of SMS Codes for Microsoft Accounts

When the deadline arrives, anyone still relying on a phone number to receive one‑time passcodes will find that option gone from the Microsoft sign‑in flow. The change affects both the two‑step verification process and the account recovery path — the screen that appears when you’ve forgotten your password or need to prove you own the account. Microsoft’s support document states that “SMS and voice calls will no longer be available as identity verification methods” for personal accounts, though the exact date within May has not been specified. Enterprise accounts managed through Microsoft Entra ID (formerly Azure Active Directory) are not included in this phase‑out.

A Microsoft spokesperson told Windows News that the company is “committed to providing customers with the strongest, most phishing‑resistant authentication methods available,” and that the shift away from SMS aligns with National Institute of Standards and Technology (NIST) guidelines, which have discouraged SMS‑based two‑factor authentication since 2016.

Why Ditch SMS?

Security researchers have catalogued a long list of SMS weaknesses. SIM‑swap attacks — where a bad actor convinces a carrier to port a victim’s number to a new SIM — remain a lucrative tool for credential theft. According to the FCC, SIM swapping complaints more than doubled between 2020 and 2023. Even without a swap, SMS messages can be intercepted via SS7 protocol exploits, man‑in‑the‑middle attacks on cellular networks, or malware that reads incoming texts. Phishing schemes also frequently trick users into forwarding codes to impostor sites.

Beyond direct theft, SMS recovery leaves accounts vulnerable when a user loses access to their phone number, whether through travel, carrier issues, or simply changing numbers. Microsoft’s own data shows that SMS‑protected accounts experience 99.9% fewer automated attacks than those with only a password — but that still leaves a gap that passkeys and hardware‑bound tokens close almost entirely.

What Replaces SMS Codes?

Microsoft will steer users toward three alternatives:

  • Passkeys: A FIDO2‑based credential stored on a device (Windows Hello PIN, fingerprint, or face) or in a password manager that syncs across platforms. Passkeys are phishing‑resistant because they are bound to the website’s origin and never leave the device. On Windows 11, passkeys can be created and managed through Settings > Accounts > Passkeys, with support for third‑party providers like 1Password and Bitwarden. Microsoft began rolling out passkey support for consumer accounts in 2022, and all major browsers now support the underlying WebAuthn API.
  • Microsoft Authenticator (or any OTP app) : The free Microsoft Authenticator app — or any authenticator that generates time‑based one‑time passwords (TOTP) — will serve as the primary second factor for those who don’t adopt passkeys. The app can also send push notifications for one‑tap approval on trusted devices.
  • Verified Email Addresses: Users can designate a secondary email address as a recovery method, similar to the long‑standing “alternate email” field already used for password resets. Microsoft will require that the email address be verified before it can be used for critical account actions.

Notably absent from the list are hardware security keys (which remain supported for work/school accounts but aren’t being promoted for personal use) and phone‑call verification, which carries the same SS7 risks as SMS.

A quick comparison of the replacement methods:

Method Phishing Resistance Device Dependency Recovery Ease
Passkey (biometric/PIN) High Yes (device or cloud) Requires backup passkey or recovery email
Authenticator app (TOTP) Medium Yes (smartphone) Can transfer codes if authenticated
Verified email Low–Medium No Accessible from any device with email

Migration Timeline and Steps

Microsoft has not yet published a detailed migration timeline, but the support article advises users to switch before May 2026. The company is likely to begin surfacing in‑product reminders in Windows and on the Microsoft account website in the coming months. When the deadline hits, any account still using a phone number for sign‑in or recovery will be forced to authenticate via an alternative method — if none is enrolled, the user may face a temporary lockout until they verify their identity through Microsoft’s account recovery process.

To get ahead of the change, Microsoft recommends:

  1. Set up a passkey on your primary Windows device. Sign in to account.microsoft.com, navigate to Security > Advanced security options > Add a new way to sign in or verify, and choose “Face, fingerprint, PIN, or security key.” Follow the prompts to create a device‑bound passkey.
  2. Install and link Microsoft Authenticator. Download the app on your smartphone, sign in with your Microsoft account, and enable phone sign‑in. The app automatically registers as a verification method.
  3. Add a verified email address. In the same Security settings, add an alternate email that you regularly access. Microsoft will send a verification code to confirm ownership.
  4. Remove your phone number (optional) . Once a new method is active, you can delete the phone number under “Ways to prove who you are” to test that everything works — but Microsoft suggests keeping it until the transition is complete.

What This Means for Windows Users

The SMS phase‑out ties directly into Microsoft’s broader passwordless strategy for Windows 11. Since the 22H2 update, Windows Hello has supported passkeys, and the 24H2 release (expected later this year) is rumored to include a dedicated Passkey Manager. For hundreds of millions of Windows users, a Microsoft account is the key to syncing settings, activating Windows licenses, and accessing services like OneDrive, Xbox, and Microsoft 365. Losing SMS means the days of simply receiving a text code on a cheap feature phone to regain access are numbered — but the trade‑off is a significant reduction in account hijacking risk.

One potential pain point: users with shared or public computers. Passkeys tied to a device aren’t portable unless stored in a cloud‑synced password manager. Microsoft’s support documentation suggests using cross‑device passkey flows (e.g., scanning a QR code with a phone) or falling back to email codes for one‑time access, but neither solution is as frictionless as SMS for the average user.

Industry‑Wide Shift Away from SMS

Microsoft’s decision aligns with a consensus among security experts and regulators. The European Union’s Digital Identity Wallet initiative and the United States’ Executive Order on Improving the Nation’s Cybersecurity both encourage phishing‑resistant authentication. In the private sector, Goldman Sachs predicts that passkeys will overtake SMS and OTP within five years. Meanwhile, carriers like T‑Mobile and Verizon have launched “Number Lock” features to combat SIM swaps, but these are band‑aids on a fundamentally insecure channel.

Apple phased out SMS‑only two‑factor for Apple ID in 2022, requiring a trusted device or phone number for recovery. Google made passkeys the default sign‑in option for all personal accounts in October 2023, though it still allows SMS as a backup. Microsoft’s move is more aggressive: it eliminates SMS entirely for personal accounts, forcing users onto stronger rails.

How to Prepare Now

With roughly 18 months until the deadline, there’s ample time to switch without disruption. The immediate steps for Windows users are:

  • Audit your current security methods: Sign in to your Microsoft account and note which verification options are enabled. If a phone number is listed, you’re affected.
  • Create a passkey on your Windows PC: Even if you plan to rely on the authenticator app, having a device‑bound passkey provides a fallback.
  • Install Microsoft Authenticator on a secondary device: A spare smartphone or tablet ensures you don’t lose access if your primary phone is lost or broken.
  • Test account recovery: After adding a verified email, try the “Forgot password” flow to confirm you can regain entry without SMS.

For enterprise users, this change doesn’t apply — but IT admins should note that employees often use personal Microsoft accounts for Windows sign‑in on BYOD machines, and they’ll need to be educated about the new options.

Microsoft’s end‑of‑SMS deadline is a bold but necessary step. By cutting the most vulnerable link in the authentication chain, the company is betting that the passwordless future is finally ready for the mainstream. The challenge will be ensuring that users who aren’t tech‑savvy — or who simply don’t own a smartphone — aren’t left behind. For everyone else, May 2026 marks the moment when a text message can no longer be the weak spot that undoes years of careful digital hygiene.