Microsoft won't send you SMS texts for login anymore - why it's pushing passkeys instead

Screenshot by Lance Whitney/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• Microsoft is phasing retired SMS arsenic an authentication method.
• SMS messages are unencrypted and susceptible to hackers.
• Microsoft relationship owners volition beryllium prompted to acceptable up a passkey instead.

When trying to sign-in to oregon retrieve 1 of your online accounts, you'll often person a substance connection that prompts you to verify that you're the relationship owner. But that SMS-based connection is not a unafraid authentication method. Now, Microsoft is putting the brakes connected it for anyone who uses a Microsoft account.

Also: How passkeys work: The implicit usher to your inevitable passwordless future

On a new enactment page, Microsoft announced that it volition commencement phasing retired SMS arsenic an authentication and relationship betterment method for idiosyncratic Microsoft accounts. Instead, the institution is pushing passkeys, which connection overmuch stronger security.

What makes SMS authentication truthful insecure?

Why is SMS specified a mediocre signifier of authentication? No substance which messaging app you use, SMS lacks end-to-end encryption to support the substance during its journey. As such, the connection tin beryllium intercepted by hackers who past summation entree to the included information code.

One communal maneuver is SIM swapping. Here, a hacker who snags your substance tin usage the information codification to motion successful to your mobile account, thereby convincing your bearer to transportation your fig to a antithetic SIM. From there, they tin person SMS authentication texts sent to your number, allowing them to instrumentality implicit your idiosyncratic accounts 1 by one.

"SMS-based authentication is present a starring root of fraud, and by moving to passwordless accounts, passkeys, and verified email, we're helping you enactment up of evolving threats portion making relationship entree simpler and much seamless," Microsoft said connected its enactment page. "SMS authentication is susceptible to phishing and SIM-swap attacks. We're replacing it with passkeys and verified email for amended extortion and convenience."

Also: Should you halt logging successful done Google and Facebook? Consider these SSO risks vs. benefits

Mobile carriers are surely alert of the risks of SIM swapping, and galore present offer SIM protection  that locks your telephone enactment to defender against unauthorized changes. However, SMS is inactive an inherently anemic and susceptible authentication method.

With SMS connected its mode out, however would you verify a login oregon betterment for your Microsoft account? For that, Microsoft said it volition usher you done the process of adding a verified email and passkey. If you'd alternatively not hold and privation to acceptable up a passkey close away, another Microsoft enactment page explains however to bash that.

Yet different crushed to usage a password manager

One hiccup with passkeys is that they're device-specific. What happens if you make a passkey connected your machine but past request to usage it connected your mobile phone, oregon vice versa? To get past that barrier, Microsoft suggests utilizing a password manager to store the passkey and usage it connected immoderate instrumentality wherever the programme is installed.

Most large password managers present enactment passkeys, including the Microsoft Password Manager successful Edge, Google Password Manager, Apple Passwords, 1Password, NordPass, Bitwarden, and Dashlane.

Also: The champion password managers: Expert tested

Another method is to prevention a passkey to a carnal information key, which you tin past plug into your PC oregon mobile instrumentality to authenticate your account. Alternatively, you tin prevention the passkey connected your mobile telephone and scan it erstwhile you request to motion successful connected your computer. On Windows PCs, Windows Hello besides supports passkeys. Whichever method you choose, you would typically usage your face, fingerprint, information key, oregon PIN to motion successful with the passkey.

Though the modulation to passkeys does necessitate respective steps, the short-term symptom is worthy the semipermanent gain, arsenic they say. I applaud Microsoft for making this change. I privation much companies would travel suit.