Microsoft is looking to move away from SMS-based two-factor authentication for local account logins, citing its vulnerability to exploitation and fraud, according to Windows Latest. Instead, Microsoft wants everyone to start using passkeys (and eventually, ditch passwords altogether).

Although text messages have proved a useful way to add an extra layer of security to account logins, they were never designed for this purpose. SMS messages are sent in plaintext, making them a vulnerable vector for man-in-the-middle and number spoofing attacks.

"Microsoft is committed to advancing security standards and as such, we will start phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts," Microsoft said in an official advisory. "SMS-based authentication is now a leading source of fraud, and by moving to passwordless accounts, passkeys, and verified email, we're helping you stay ahead of evolving threats while making account access simpler and more seamless."

Passkeys are a cleaner, more secure way to authenticate, leveraging the local security of a secondary device or your biometric information to confirm your identity. When setting one up, you can use your face, fingerprint, or a local password/PIN. That information never leaves that particular device, making it all but impossible for a third party to spoof it.

Recommended by Our Editors

I Was Sick of Android Apps Spying on Me, So I Tried GrapheneOS and PlugOS

Apple May Soon Add a Feature That Automatically Locks Snatched iPhones

Your Computer May Soon Require an Age Check. And It Might Not Take ‘No’ for an Answer

Last year, Microsoft said that anyone setting up a new Microsoft account would be encouraged to use a passkey during sign-up, removing passwords as the default.

However, while passkeys are more secure, they're not always be as convenient. When setting up new Windows PCs or temporary virtual machines, the biometric data may not be so readily available, and setting up a passkey every time can be laborious. SMS messages, in contrast, could be fast and convenient. However, that convenience comes at the cost of security. Fortunately, in those cases, verified email links will remain an option.

Microsoft hasn't given a date for fully phasing out SMS messages as a secondary authentication method, but users without a passkey will soon be prompted to set one up.

As someone who lives in an area with spotty reception and wonky Wi-Fi calling, this is welcome news. But even in areas where receiving an SMS isn't as pot-luck as it is for me, it's probably time to finish with SMS codes. It's antiquated and has proved for many years to be an insecure method of protecting users and their accounts.