Microsoft has drawn a line in the sand for SMS-based authentication. In a May 2026 announcement, the company confirmed it will phase out SMS codes for signing into personal Microsoft accounts and for account recovery, pushing users toward passkeys, the Microsoft Authenticator app, and verified secondary contact methods. The transition will begin immediately, with SMS codes fully deprecated for most scenarios by the end of 2026.

For the hundreds of millions of users with Outlook.com, OneDrive, Xbox, Skype, and other consumer Microsoft services, this means the familiar routine of receiving a six-digit code via text message is on the way out. Instead, you'll need to adopt a passwordless credential or verify your identity through a more secure channel.

The End of SMS-Based Authentication

The announcement, posted on the Microsoft Security blog on May 12, 2026, makes official what had been telegraphed for years. Microsoft has long warned that SMS two-factor authentication (2FA) is vulnerable to SIM-swapping, social engineering, and interception. Now, the company is taking the definitive step of removing SMS as a supported sign-in and recovery factor for personal Microsoft accounts.

"Starting today, we will begin disabling SMS as a sign-in option for accounts that have already set up a stronger alternative," reads the post. "By December 2026, SMS will no longer be available for any sign-in or recovery scenario, even as a fallback."

This affects the core Microsoft account system that underpins Windows login, Office 365 consumer subscriptions, Microsoft 365 Family, Outlook email, and Xbox gaming profiles. Business and education accounts (Azure AD/Entra ID) are not part of this consumer-focused change, though Microsoft has separately been driving those organizations to phishing-resistant MFA for years.

Why Microsoft is Abandoning SMS Codes

The decision hinges on security. SMS was never designed to be a secure authentication channel. It relies on the phone number as proof of identity, but phone numbers can be hijacked through SIM-swap attacks—where a criminal convinces the carrier to port the number to a new SIM. Once in control, they can intercept SMS codes and reset passwords.

Phishing has also become far more sophisticated. Attackers set up fake login pages that trick users into entering both their password and SMS code, giving the criminal immediate access. Even without phishing, SMS codes can be stolen via malware on the device or by exploiting weaknesses in the SS7 cellular signaling protocol.

By contrast, passkeys are based on public-key cryptography. The private key never leaves the user's device, and the login ceremony ties the credential to the specific website or app, making it immune to phishing. The Microsoft Authenticator app offers a similar level of protection with number-matching and push notifications that require physical interaction.

"The threat landscape has evolved, and our users deserve authentication that keeps pace," the blog post states. "SMS codes were once a useful step up from a password alone, but today they represent a weak link that criminals actively exploit."

What Replaces SMS? Passkeys and More

Microsoft is urging all users to adopt one of the following alternatives before SMS support is fully removed:

  • Passkeys: FIDO2 credentials stored on a device (Windows Hello, Android, iOS, or a hardware security key). When you sign in, you verify with a PIN, fingerprint, or face scan. No password or code is ever transmitted. Passkeys are already supported across Microsoft services and are the recommended replacement for both passwords and SMS codes.
  • Microsoft Authenticator App: Available for iOS and Android, the app generates time-based one-time passwords (TOTP) or serves push notifications that require you to tap a number on screen. It can also act as a passkey manager, syncing credentials across devices.
  • Verified Secondary Contact Methods: Users can designate a recovery email address or an alternate authenticated device (like a secondary phone with the Authenticator app or a passkey) to regain access if the primary method is lost. These must be verified in advance.

SMS will be removed in stages. Accounts that have already configured a passkey or the Authenticator app will lose SMS as a sign-in option first. Users who have not yet transitioned will still see SMS codes available for a limited time, with reminders and prompts to switch. By Q4 2026, SMS will be entirely turned off, and account recovery will require a verified secondary factor other than a phone number.

How to Prepare Your Microsoft Account

If you use a personal Microsoft account for email, cloud storage, gaming, or Windows sign-in, you should take action now. Here’s a step-by-step guide:

  1. Check your current security info: Visit account.microsoft.com/security and sign in. Under "Security info," you'll see which methods are registered. Look for passkeys, authenticator apps, or recovery emails.
  2. Add a passkey: On a Windows 11 device, go to Settings > Accounts > Passkeys, or visit the Microsoft account security page and select "Add a new passkey." Follow the prompts to create one using Windows Hello. You can also create a passkey on your phone by scanning a QR code displayed on the Microsoft site.
  3. Set up Microsoft Authenticator: Download the app from your phone's app store, then choose "Add account" and scan the QR code from your Microsoft account security page. Enable push notifications for the smoothest experience.
  4. Add a recovery email address: If you haven't already, add and verify a non-Microsoft email address (like Gmail or Yahoo) that you can access separately. This can serve as a backup if you lose your primary credential.
  5. Remove your phone number (optional): Once you have a passkey and/or Authenticator configured, you can remove your SMS phone number from your security info to stop receiving SMS codes immediately.

Microsoft notes that even after SMS is phased out, you can still use your phone number for passwordless sign-in via the Authenticator app’s phone sign-in feature, which uses the device’s biometrics and networking ties—not SMS.

Impact on Users and the Industry

The move is likely to cause friction for users who rely on SMS codes, particularly those with limited technical experience or older phones that don’t support passkeys. Microsoft will need to educate its user base through in-product messaging, emails, and support documentation.

On the other hand, security advocates have praised the decision. The FIDO Alliance, which develops the passkey standard, has long pointed to SMS as the weakest link in account protection. Google, Apple, and others have similarly been pushing passkeys, but Microsoft’s explicit timeline for removing SMS sets a new bar. No other major consumer platform has yet announced a full SMS deprecation date.

For Windows 11 users, this change aligns with the operating system’s deep passkey integration. Since the 23H2 update, Windows has supported native passkey management, and the 24H2 release (late 2025) added automatic syncing of passkeys across devices via the Microsoft account. That means once you create a passkey on your laptop, it’s available on your phone and tablet as well.

The Road Ahead

Microsoft’s announcement is part of a broader strategy to eliminate passwords and legacy 2FA. The company has already rolled out passwordless account options, and in 2025 it removed the ability to create a Microsoft account without a secondary email or phone verification. The SMS phase-out is the next logical step.

Looking beyond 2026, Microsoft is expected to continue hardening consumer accounts. Upcoming features might include mandatory multi-factor authentication for all accounts, risk-based sign-in prompts, and deeper integration with Windows Hello for Business capabilities brought to the consumer side.

For now, the message is clear: the era of SMS codes is ending. If you’re still relying on them, the time to switch is now. The tools are free, built into your devices, and far more secure than a text message could ever be.