Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Microsoft is phasing out SMS as an authentication method.
- SMS messages are unencrypted and vulnerable to hackers.
- Microsoft account owners will be prompted to set up a passkey instead.
When trying to sign-in to or recover one of your online accounts, you’ll often receive a text message that prompts you to verify that you’re the account owner. But that SMS-based message is not a secure authentication method. Now, Microsoft is putting the brakes on it for anyone who uses a Microsoft account.
Also: Mobile phishing is a bigger threat than email now – how to stay protected
On a new support page, Microsoft announced that it will start phasing out SMS as an authentication and account recovery method for personal Microsoft accounts. Instead, the company is pushing passkeys, which offer much stronger security.
What makes SMS authentication so insecure?
Why is SMS such a poor form of authentication? No matter which messaging app you use, SMS lacks end-to-end encryption to protect the text during its journey. As such, the message can be intercepted by hackers who then gain access to the included security code.
One common tactic is SIM swapping. Here, a hacker who snags your text can use the security code to sign in to your mobile account, thereby convincing your carrier to transfer your number to a different SIM. From there, they can receive SMS authentication texts sent to your number, allowing them to take over your personal accounts one by one.
“SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more seamless,” Microsoft said on its support page. “SMS authentication is vulnerable to phishing and SIM-swap attacks. We’re replacing it with passkeys and verified email for better protection and convenience.”
Also: Should you stop logging in through Google and Facebook? Consider these SSO risks vs. benefits
Mobile carriers are certainly aware of the risks of SIM swapping, and many now offer SIM protection that locks your phone line to guard against unauthorized changes. However, SMS is still an inherently weak and vulnerable authentication method.
With SMS on its way out, how would you verify a login or recovery for your Microsoft account? For that, Microsoft said it will guide you through the process of adding a verified email and passkey. If you’d rather not wait and want to set up a passkey right away, another Microsoft support page explains how to do that.
Yet another reason to use a password manager
One hiccup with passkeys is that they’re device-specific. What happens if you create a passkey on your computer but then need to use it on your mobile phone, or vice versa? To get past that barrier, Microsoft suggests using a password manager to store the passkey and use it on any device where the program is installed.
Most major password managers now support passkeys, including the Microsoft Password Manager in Edge, Google Password Manager, Apple Passwords, 1Password, NordPass, Bitwarden, and Dashlane.
Also: The best password managers: Expert tested
Another method is to save a passkey to a physical security key, which you can then plug into your PC or mobile device to authenticate your account. Alternatively, you can save the passkey on your mobile phone and scan it when you need to sign in on your computer. On Windows PCs, Windows Hello also supports passkeys. Whichever method you choose, you would typically use your face, fingerprint, security key, or PIN to sign in with the passkey.
Though the transition to passkeys does require several steps, the short-term pain is worth the long-term gain, as they say. I applaud Microsoft for making this change. I wish more companies would follow suit.