Microsoft is accelerating the elimination of authentication methods based on SMS verification codes, and is vigorously promoting "passwordless login" in the Windows 11 ecosystem to protect the security of personal Microsoft accounts through passkeys, authenticator applications, and backup email addresses. Microsoft confirmed to the media that the company will no longer send SMS verification codes to personal accounts. This adjustment not only involves the two-factor verification process, but also includes the account retrieval process. A support document that was quietly updated earlier this year clearly states that Microsoft is "phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts."

Microsoft bluntly stated in its latest security advisory that SMS-based authentication "has become one of the main sources of fraud" and is no longer consistent with its long-term strategy to improve security standards. SMS text messages were not originally designed for modern network security scenarios. Their content is transmitted in clear text over cellular networks and is easily intercepted and eavesdropped. In addition, the increasingly common "SIM card swap attack" also exposes the structural weakness of SMS verification codes: attackers only need to trick operators into transferring the victim's number to a device they control, and then they can receive all SMS verification codes instantly and easily take over the victim's online account. From Microsoft's perspective, to deal with such threats, it is no longer realistic to continue to patch the SMS system, and a more feasible path is to completely embrace a passwordless solution.

Under the new strategy, Microsoft will replace SMS verification codes with pass keys as the core. This standard is regarded as a modern login method that is resistant to phishing. Unlike traditional passwords and six-digit numbers that can be intercepted or reused, pass keys rely on biometric hardware and a local PIN built into the device for authentication. When users log in to a Microsoft account, they can complete verification through Windows Hello facial recognition, fingerprint recognition, or local device PIN. The system will generate a pair of public and private keys in the background. The private key is always saved in hardware such as the security chip of the local device and will not be transmitted through the network, thus almost eliminating the possibility of remote phishing attacks.

The specific implementation of the pass key can either adopt the "device binding" mode or use cloud services to synchronize across multiple devices. The former means that the private key never leaves a specific piece of hardware, such as the TPM security chip of a laptop; the latter relies on services such as Apple iCloud Keychain or Google Password Manager to securely synchronize the key to multiple terminals of the user. Microsoft pointed out that even if a user loses his or her phone, as long as a trusted backup email address and a pass key synchronized across devices have been previously configured, account access can still be restored relatively safely.

From a security theory perspective, Microsoft's move to abandon fragile SMS verification codes and turn to biometric encrypted pass keys is an upgrade in the right direction, and it also conforms to the general trend of "decryption" in the entire industry. In its announcement, Microsoft stressed that the company is "committed to raising security standards" and believes the future of authentication should be "passwordless, secure and user-friendly." The author of the article also mentioned that in daily use, with Microsoft Edge, Microsoft Password Manager and Microsoft Authenticator applications, coupled with Windows Hello facial recognition equipped with an infrared camera, the experience of logging in to personal accounts without a password is "really excellent" and the operation is smoother.

However, this seemingly ideal password-free future may not be smooth for heavy users and certain technical scenarios. The author takes his own work process as a Windows Insider as an example and points out that he often needs to create, configure and manage a large number of virtual machines for testing different system versions and software environments. In these isolated virtual machine environments, physical biometric hardware is often unavailable and security keys are not always accessible, resulting in a significantly "dropped" passkey login experience. When trying to log into a Microsoft account using a passkey via a PIN in a virtual machine, he repeatedly encountered error messages and was unable to successfully complete the login process.

In this highly technical but relatively common edge scenario, requesting to receive a text message verification code was once a simple and reliable "last resort solution." The combination of password and SMS verification code has become deeply rooted in the hearts of the people, and a string of six digits has almost become one of the most natural security steps in the daily operations of users around the world. The author believes that in order to truly change this habit that has been formed for many years, new technologies must not only be safer, but also must be able to operate "senselessly" in almost all scenarios, otherwise it will easily put users into trouble at critical moments.

Microsoft has recently made other adjustments to the installation experience and account policies to coordinate with this change in security direction. For example, there are signs that Microsoft may remove the requirement to log in to a Microsoft account in future Windows 11 installation processes, thereby reducing the need for users to log in online during certain setup stages. On the other hand, the company will also proactively prompt all personal account users through system pop-ups to encourage them to configure pass keys and verify backup email addresses as soon as possible. Common prompts include "log in faster with face, fingerprint or PIN".

It is foreseeable that losing the "convenient but fragile" tool of SMS verification code will cause discomfort and complaints to some users in the short term. However, in Microsoft's statement, this is regarded as the price that must be paid to deal with modern security threats, and it is also a key step to strengthen the overall security defense line of the Windows 11 ecosystem. With the further popularization of pass keys and passwordless solutions, the underlying logic of account security is shifting from "remembering a password" to "proving that you are who you are", and this migration has already been fully launched in Microsoft's system.