Microsoft Phases Out SMS Authentication, Mandates Passkeys for Personal Accounts
What Happened — Microsoft announced it will deprecate SMS‑based verification for personal Microsoft accounts, requiring users to enroll a passkey or verified email for sign‑in and account recovery. The change targets the insecure, unencrypted nature of SMS and its susceptibility to SIM‑swap and phishing attacks.
Why It Matters for TPRM —
- SMS authentication is a known vector for credential compromise across all third‑party integrations.
- Passkey adoption raises the security baseline for any SaaS vendor that relies on Microsoft identity services.
- Organizations must assess whether their internal and partner applications still depend on SMS‑based MFA and plan migration.
Who Is Affected — Enterprises and SMBs across all sectors that use Microsoft accounts for SSO, Azure AD, Office 365, or other cloud services; identity‑as‑a‑service (IAM) providers and MSPs managing Microsoft tenant access.
Recommended Actions —
- Inventory all applications and processes that currently rely on SMS for MFA or account recovery.
- Initiate a phased rollout of passkey enrollment for all privileged and standard user accounts.
- Update third‑party risk assessments to reflect the reduced attack surface and verify that vendors support passwordless authentication.
Technical Notes — The shift eliminates an authentication vector vulnerable to SIM‑swap, SS7 interception, and phishing. Passkeys leverage public‑key cryptography and are stored in device‑bound secure enclaves, providing cryptographic proof of possession without transmitting secrets. Microsoft will guide users through adding a verified email and creating a platform‑authenticator passkey. Source: ZDNet Security