Microsoft announced it’s killing SMS-based two-factor authentication for personal accounts, and starting September 2026, passkeys become the default sign-in method across Microsoft Entra. This isn’t an isolated policy change, several financial regulators moved to eliminate SMS one-time codes for banking entirely between 2025 and 2026. The text message you’ve trusted for years is being phased out industry-wide, and the reason is a specific, well-documented attack.

The Attack SMS Can’t Defend Against: SIM Swapping
SIM swapping is not a new technique, but it remains effective precisely because it doesn’t attack your phone, it attacks your phone carrier. An attacker convinces (or bribes, or social-engineers) a carrier employee to transfer your phone number to a SIM card they control. Once that happens, every SMS code meant for you goes straight to them, including the ones meant to prove it’s really you logging in.
Why Authenticator Apps Don’t Have This Problem
Authenticator apps (Google Authenticator, Microsoft Authenticator, and similar) generate codes locally on your device using a secret key established at setup, no phone carrier, no network transmission, nothing for an attacker to intercept remotely. Even if someone successfully SIM-swaps your phone number, the authenticator app codes keep generating independently on the physical device, unaffected by the phone number hijack.
Passkeys Are the Next Step, Not Just a Buzzword
Passkeys go a step further than authenticator apps by eliminating the password entirely, using device-based cryptographic keys plus biometrics (fingerprint or face unlock) to log in. CISA and the FBI have both pushed organizations to move away from SMS specifically because of SIM-swapping and SS7 network exploits, and passkeys are the direction the industry is consolidating around, Microsoft making them the default in Entra by September 2026 is a strong signal of where the rest of the industry is heading.
What to Actually Do Right Now
- Go into your most important accounts (email, banking, primary social media) and check if an authenticator app option exists, most major services have offered this for years, quietly, alongside SMS
- Switch your email account first, it’s usually the recovery method for everything else, making it the highest-value target to secure properly
- Enable passkeys where offered, especially on Microsoft, Google, and Apple accounts, since this is clearly the direction those platforms are pushing toward as the new default
The Bottom Line
SMS two-factor authentication isn’t worthless, it’s still far better than no second factor at all. But treating it as equally secure to an authenticator app or passkey is no longer accurate, and the industry itself is quietly confirming that by phasing SMS out as the default option across major platforms.

Digital Trends Contributor. Daniel Brooks covers technology news, internet trends, and consumer tech updates for News in Focus. His goal is to help readers understand how new technologies impact daily life through informative and approachable content.










