When you want to log in to or retrieve one of your online accounts, you often receive a text message asking you to verify that you are the account owner. However, this SMS message is not a secure method of authentication.
Now, Microsoft is putting a stop to this for anyone using a Microsoft account.
On a new support page, Microsoft he said Microsoft has announced that it will begin phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts. Instead, the company is promoting passkeys, which offer much stronger security.
What makes SMS authentication so insecure?
Why doesn't SMS offer authentication security? Regardless of the messaging app you use, SMS doesn't have end-to-end encryption to protect the text during the message's journey. This means that the message can be intercepted by hackers who can then gain access to your account.
A common tactic is to SIM swapping. Here, a hacker who steals your message can use the security code to log into your mobile account, thereby convincing your mobile provider to port your number to a different SIM. From there, they can receive SMS authentication messages sent to your number, which allows them to take control of your personal accounts.
“SMS-based authentication is now a major source of fraud. Switching to password-free accounts, passkeys, and verified email will help you stay ahead of evolving threats while making accessing your account simpler and more seamless,” Microsoft says on its support page. “SMS authentication is vulnerable to phishing and SIM swapping attacks. We’re replacing it with passkeys and verified email for better protection and convenience.”
Although the press releases will range from very select to rare, I said I'd pass...because sometimes the editors hide.
