Why SMS Codes Are Quietly Being Phased Out as Two-Factor Authentication

Advertisements

Microsoft announced it’s killing SMS-based two-factor authentication for personal accounts, and starting September 2026, passkeys become the default sign-in method across Microsoft Entra. This isn’t an isolated policy change, several financial regulators moved to eliminate SMS one-time codes for banking entirely between 2025 and 2026. The text message you’ve trusted for years is being phased out industry-wide, and the reason is a specific, well-documented attack.

Advertisements

The Attack SMS Can’t Defend Against: SIM Swapping

SIM swapping is not a new technique, but it remains effective precisely because it doesn’t attack your phone, it attacks your phone carrier. An attacker convinces (or bribes, or social-engineers) a carrier employee to transfer your phone number to a SIM card they control. Once that happens, every SMS code meant for you goes straight to them, including the ones meant to prove it’s really you logging in.

Why Authenticator Apps Don’t Have This Problem

Authenticator apps (Google Authenticator, Microsoft Authenticator, and similar) generate codes locally on your device using a secret key established at setup, no phone carrier, no network transmission, nothing for an attacker to intercept remotely. Even if someone successfully SIM-swaps your phone number, the authenticator app codes keep generating independently on the physical device, unaffected by the phone number hijack.

Passkeys Are the Next Step, Not Just a Buzzword

Passkeys go a step further than authenticator apps by eliminating the password entirely, using device-based cryptographic keys plus biometrics (fingerprint or face unlock) to log in. CISA and the FBI have both pushed organizations to move away from SMS specifically because of SIM-swapping and SS7 network exploits, and passkeys are the direction the industry is consolidating around, Microsoft making them the default in Entra by September 2026 is a strong signal of where the rest of the industry is heading.

What to Actually Do Right Now

  • Go into your most important accounts (email, banking, primary social media) and check if an authenticator app option exists, most major services have offered this for years, quietly, alongside SMS
  • Switch your email account first, it’s usually the recovery method for everything else, making it the highest-value target to secure properly
  • Enable passkeys where offered, especially on Microsoft, Google, and Apple accounts, since this is clearly the direction those platforms are pushing toward as the new default

The Bottom Line

SMS two-factor authentication isn’t worthless, it’s still far better than no second factor at all. But treating it as equally secure to an authenticator app or passkey is no longer accurate, and the industry itself is quietly confirming that by phasing SMS out as the default option across major platforms.