Microsoft announced it will retire SMS‑based two‑factor authentication and recovery for personal accounts, citing vulnerability to phishing and SIM‑swap attacks. The move aligns with GDPR and CCPA requirements for stronger data protection, and pushes users toward passwordless passkeys and verified email.
Microsoft to Phase Out SMS Authentication for Consumer Accounts
Microsoft confirmed that short‑message‑service (SMS) authentication will soon disappear from personal Microsoft accounts. The company says the “old, busted, insecure” method leaves users exposed to phishing, SIM‑swap fraud, and other attacks that can compromise personal data.
Legal basis for the change
The decision is framed around compliance with major data‑protection statutes:
- GDPR (EU) – Article 32 requires controllers to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. The European Data Protection Board has repeatedly warned that SMS‑based 2FA does not meet the "state‑of‑the‑art" standard for strong authentication.
- CCPA/CPRA (California) – While the law does not prescribe specific security controls, the California Attorney General’s office has issued guidance that businesses must adopt “reasonable” security practices. Relying on a channel known to be vulnerable to SIM‑swap attacks could be deemed unreasonable.
- NCSC endorsement (UK) – In April 2026 the National Cyber Security Centre officially endorsed passwordless passkeys, reinforcing the regulatory expectation that organisations move away from legacy SMS methods.
By retiring SMS, Microsoft is positioning itself to avoid potential fines for non‑compliance. Under GDPR, violations can attract penalties up to €20 million or 4 % of global turnover, whichever is higher. CCPA violations can lead to statutory damages of up to $7,500 per incident.
Impact on users and businesses
For individual users
- Loss of a familiar fallback – Many people still rely on SMS for account recovery. Microsoft says it will replace the fallback with verified email links and passkey‑based recovery, but the transition will require users to set up new credentials.
- Potential confusion – Users who have never used a passkey may need guidance on creating and storing them, especially across multiple devices. Microsoft promises in‑app prompts and step‑by‑step tutorials, but the effectiveness of those guides will vary.
For enterprises and developers
- Integration changes – Applications that embed Microsoft’s OAuth flow will need to update their authentication libraries to request passwordless or email‑based challenges instead of SMS.
- Compliance reporting – Companies that already report GDPR/CCPA compliance will have to document the migration, showing that they no longer rely on a high‑risk factor.
What changes are coming
- Phasing out SMS for sign‑in – Existing users will see a banner at login encouraging them to add a passkey or verified email. After a grace period (still to be announced), the SMS option will disappear.
- Passkey rollout – Microsoft will leverage the FIDO2 standard, which stores a cryptographic key on the device and never transmits a secret that can be intercepted. Passkeys sync via the Microsoft Authenticator app or supported password managers.
- Enhanced recovery – If a user loses access to a device, they can recover using a one‑time email link or a recovery code stored in the Authenticator app.
- Developer guidance – Microsoft will publish updated SDK documentation showing how to request "passwordless" challenges and how to handle fallback flows without SMS.
Why the move matters for digital rights
From a watchdog perspective, the shift is a win for privacy. SMS messages travel through carrier networks that are often subject to lawful‑intercept requests and can be stored for months. By eliminating that vector, Microsoft reduces the amount of personal data that can be harvested by malicious actors or government surveillance.
However, the transition must be handled responsibly. Users should be given clear, jargon‑free explanations of what a passkey is, how it is stored, and how they can back it up. Without adequate education, a segment of the population could be locked out of their own accounts, creating a new accessibility problem.
Bottom line
Microsoft’s announcement aligns its security posture with GDPR and CCPA expectations, while also following the UK NCSC’s endorsement of passwordless authentication. Users will need to adopt passkeys or verified email for both sign‑in and recovery, and developers must update their integration points. The change promises stronger protection against phishing and SIM‑swap fraud, but success will hinge on how well Microsoft educates its global user base.
Comments
Please log in or register to join the discussion