Share via

Is SMS-based OTP planned to be deprecated in Microsoft Entra ID authentication flows?

Jaco Haverhals 0 Reputation points
2025-12-16T08:33:44.0566667+00:00

In an initial sign-in or registration flow, we want to use SMS-based OTP as an additional security factor.

In Microsoft documentation and guidance, SMS-based authentication is increasingly discouraged in favor of stronger and phishing-resistant methods such as Microsoft Authenticator and passkeys. However, I cannot find an official statement that SMS-based OTP itself is being fully deprecated or given an end-of-life date.

What I do see documented is:

  • Deprecation of legacy MFA and SSPR policy management (moving to the Authentication Methods policy)
  • Strong recommendations to use more secure authentication methods
  • Deprecation of two-way SMS (reply-based), not one-time passcodes

My questions are:

  1. Is there an official plan to fully deprecate SMS-based OTP as an authentication or MFA method in Microsoft Entra ID?
  2. If yes, where is this documented and what is the expected timeline?
  3. If no, can SMS-based OTP still be considered a supported (though discouraged) option for sign-in or registration flows?

I am looking for confirmation based on official Microsoft guidance.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shubham Sharma 15,685 Reputation points Microsoft External Staff Moderator
    2025-12-16T09:21:05.8533333+00:00

    Hey Jaco, it sounds like you're keen on understanding the future of SMS-based OTP in Microsoft Entra ID. Here’s the scoop based on the latest information:

    1. Current Documentation Note: While Microsoft has been steering users toward more secure and phishing-resistant authentication methods like the Microsoft Authenticator app, SMS-based OTP has not been explicitly stated as being deprecated yet.
    2. **Deprecation **: The existing documentation mentions that legacy MFA and SSPR policies are moving towards a new Authentication Methods policy. Although two-way SMS (reply-based) is deprecated, SMS used for one-time passcodes is not fully deprecated at this time.
    3. Official Guidance: You’re right; there’s no official "end-of-life" date available for SMS-based OTP. However, it is advised to consider stronger authentication methods wherever possible, especially for information workers. SMS-based authentication is primarily encouraged for frontline workers for now.
    4. Timeline and Support: Currently, SMS-based OTP can still be used as a supported option, although it's advised to move to more secure methods. There's no specific timeline for when SMS-OTP will be deprecated, but given the shift in guidance, it might be prudent to start planning for alternatives if your use case allows.
    5. Additional Methods: Consider encouraging the adoption of alternatives such as QR code authentication for frontline scenarios, as these methods can be more secure and phishable.

    To summarize, while SMS-based OTP is still supported, Microsoft is likely to continue pushing for more secure options. If you need confirmation based on official Microsoft guidance, checking the Microsoft Entra Authentication Documentation might give you the latest updates as they publish them.

    References:

    Hope this helps clarify things for you! If you have any more questions or need further details, feel free to ask!

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.