Summary
- Microsoft will stop using SMS for personal 2FA, citing it as insecure and prone to fraud.
- Microsoft will push passwordless options like passkeys and verified email to improve security and UX.
- SMS 2FA has become a major attack vector; moving away makes accounts harder for hackers to access.
While having two-factor authentication (2FA) enabled is always safer than not having it, not all methods are equal. We’re used to the trusty SMS 2FA method, where a company sends you a text during the login process and asks you to enter a code. However, when a security measure goes on long enough without any major revamps, bad actors find ways to get around it.
While SMS 2FA was once a bastion of protection, it has now become one of the main attack vectors bad agents use to get into accounts. As such, Microsoft has announced that it’s scrapping SMS 2FA entirely, opting instead for email and passkey verification.
Related
4 reasons you should use 2FA apps over SMS-based authentication
2FA over SMS isn’t just unreliable, it’s also a security risk.
Microsoft is getting rid of SMS-based 2FA methods
The company believes they’re just too insecure
As spotted by Windows Latest, Microsoft has published some documentation describing what it plans to do with 2FA moving forward. Titled „Microsoft to stop sending SMS codes for personal accounts,“ the company explains its reasoning as to why it’s scrapping the method, and honestly, its reasoning sounds pretty valid:
Microsoft believes that the future of authentication is passwordless, secure, and user-friendly.
SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more seamless.
Microsoft isn’t lying when it says it’s focusing on scrapping the passwords. In fact, new Microsoft accounts don’t have them by default. By moving to verified emails and passkeys, the company is hoping to make life a lot harder for hackers.
Microsoft says that people who want to keep their accounts secure should create a passkey instead. This is a passwordless method where your device and the server you’re logging on to perform a ’secret handshake‘ that doesn’t require human intervention. This also means phishers cannot steal the password, because there is no password to steal in the first place.
Related
5 reasons you should be using passkeys for security
If you want a secure and password-free sign in experience, consider using passkeys for security.
Ref: https://www.xda-developers.com/microsoft-is-scrapping-sms-2-factor-authentication-because-its-a-leading-source-of-fraud/
