-
Microsoft will eliminate SMS-based verification codes for personal and Xbox account sign-ins.
-
The company wants users to switch to passkeys, the Microsoft Authenticator app, or a verified backup email address.
-
The announcement triggered sharp reactions online, with critics arguing Microsoft is fixing the wrong problem entirely.
Microsoft just pulled the plug on SMS verification codes for personal account logins, and the internet is not staying quiet about it. The tech giant says the decision is a security upgrade.
Text-message codes, it argues, sit wide open to phishing attacks, SIM-swap fraud, and interception. Going forward, the company wants users to authenticate through passkeys, the Microsoft Authenticator app, or a verified backup email address.
The move fits into a wider industry-level retreat from phone-based one-time passwords (OTPs). Security researchers have flagged SMS-based authentication as one of the weakest links in login security for years. But for millions of everyday users, the change means updating their login habits, whether they signed up for that or not.
Microsoft Cuts SMS Codes in Sweeping Authentication Overhaul
Microsoft’s decision targets what security professionals have long described as a structurally flawed system. SMS codes travel through carrier networks that threat actors can intercept or redirect through SIM-swap attacks. Passkeys and authenticator apps eliminate that exposure by keeping verification tied directly to a device or application rather than a phone number.
The threat is real and growing. Criminals are using fake cell towers to carry out SMS fraud attacks, showing why SMS-based verification is no longer sufficient.
The change covers personal Microsoft accounts, including Xbox accounts. Users who currently rely on SMS codes will need to adopt one of the approved alternatives before Microsoft closes the transition window. The company has not announced a hard deadline publicly, but security experts warn that the window will not stay open indefinitely.
This decision also reflects how authentication standards across the industry are shifting. Major platforms have moved steadily away from SMS OTPs over the past several years, and Microsoft’s announcement signals that the practice is edging closer to a full phase-out.
Security Experts and Users Push Back Online
The announcement landed on the X (Twitter) social media and immediately drew fire from multiple directions.
@OsintKitties raised a pointed concern, arguing that Microsoft is targeting the wrong vulnerability entirely. According to the user, OTP sign-in codes sent to email have powered phishing campaigns for years, particularly inside gaming communities on Discord centered around Minecraft. The core argument: SMS codes are not the primary reason people lose their accounts. Email-based sign-in codes are.
@techedgeDaily put a sharper edge on the criticism. According to the post, Microsoft took roughly five years after the security research community declared SMS authentication broken to actually ship the fix. By the time large tech companies act, the argument goes, attackers have already moved on to the next vector.
The sarcasm from @piratebae cut through just as cleanly. The user described logging into the Xbox app on iPhone, only to need the Microsoft Authenticator app to confirm that login. The implication was clear: verifying your identity inside an app you are already using feels more like a performance than a protection. That post pulled 2.2K impressions, and the frustration landed widely.
Not all the pushback focused on usability. @Namecannotbeblank pointed out that SMS two-factor authentication is not even available to free Twitter users (it sits behind a paid subscription), making Microsoft’s announcement feel oddly targeted.
@albursavi went further, calling for SMS verification to disappear from every platform entirely. According to the post, SMS sits at the root of a massive volume of ongoing spam, and its removal across all verification systems is long overdue.
What Microsoft Users Should Do Now
The critics raise fair points, but the direction of travel is clear. Microsoft is moving away from SMS, and users who delay will eventually find themselves scrambling at the last minute.
The practical steps are straightforward. Users should switch to the Microsoft Authenticator app or set up a passkey now rather than waiting. Anyone without a verified backup email address should add one immediately.
One user on X framed the moment more broadly, arguing that privacy erosion will continue in lockstep with every new technology improvement, and that the real fix runs far deeper than any single authentication method.
That may well be true. But in the near term, updating your login method before Microsoft forces the issue is the move that actually matters.
