Microsoft Authenticator: Ditch SMS MFA

Key insights

• SMS MFA is insecure: SMS and voice codes can be intercepted by SIM swapping, network attacks, or reused phone numbers, making account takeovers easier.
  
• Use modern alternatives like the Microsoft Authenticator app or FIDO2 passkeys for stronger protection; passkeys can work without a phone and remove passwords from the sign-in flow.
  
• Admins deploy passwordless keys in Microsoft 365 via Microsoft Entra: enable FIDO2, guide users through registration, and test sign-in with hardware or platform keys.
  
• Plan for lost keys using a Temporary Access Pass (TAP): admins issue a short-lived code so users can re-register a new passkey without weakening security.
  
• MFA enforcement timeline: Microsoft rolled out phased requirements — admin portals from October 2024 and command-line, API, mobile and automation access by September 1, 2025 — pushing organizations away from SMS and voice methods.
  
• Benefits: passwordless and app-based methods deliver stronger security, better user experience, and help meet compliance goals by reducing phishing and interception risks.
  

Video overview and key takeaway

In a recent YouTube video by Jonathan Edwards, the presenter urges organizations to stop relying on SMS for multifactor authentication and to adopt stronger methods instead. He frames the issue with clear examples, mixing practical demos with a touch of humor to keep the message grounded and memorable. For instance, the video shows everyday failures such as codes read aloud over a landline and a character who still uses an outdated phone, which illustrates how brittle SMS can be in real settings. Ultimately, Edwards argues that modern options like app-based authenticators and FIDO2 passkeys offer both better security and a smoother user experience.

Why SMS for MFA is increasingly risky

Jonathan Edwards explains that one-time codes sent by text are vulnerable to interception, SIM swapping, and routing flaws, and he demonstrates how these attack paths still succeed in real life. Consequently, attackers who can control a phone number or exploit telecom weaknesses can bypass SMS protections without needing a stolen password. Moreover, Edwards points out that users sometimes share numbers, reuse lines, or rely on landlines that others can answer, which undermines the second factor’s independence. Therefore, SMS simply fails to meet the threat model of modern enterprise systems.

In addition, the video covers Microsoft’s broader position and timeline, noting that Microsoft has been pushing administrators toward app-based and passwordless methods and scheduling stronger enforcement across cloud tools. As a result, organizations that continue to depend on SMS risk disruptions when service providers tighten rules and when Microsoft enforces new policies for admin portals, APIs, and command-line tools. Edwards emphasizes that planning now reduces both security risk and future operational headaches. Thus, the message is that staying with SMS is no longer a neutral choice but an active risk.

What FIDO2 passkeys and app-based authenticators deliver

The video shows how FIDO2 passkeys and the Microsoft Authenticator can replace SMS by using cryptographic methods that don’t transmit one-time codes over insecure channels. Edwards demonstrates a user registering a key in Microsoft Entra and then signing in without needing a phone number, which underscores that these solutions can reduce attack surface and improve login speed. Furthermore, passkeys often support biometrics or PINs tied to the device, making remote interception or simple social engineering much harder. Consequently, the video makes a clear argument that passwordless approaches reduce friction while increasing security when implemented correctly.

Edwards also discusses practical benefits, such as removing password resets and avoiding one-time code entry, which can help helpdesk teams and users alike. At the same time, he clarifies that app-based methods and passkeys are not magic; they require correct configuration and user education to be effective. For example, he walks through the user registration flow and shows how sign-in works to demystify the transition for administrators. Therefore, the video balances optimism about these tools with realistic advice about operational steps.

Deployment tradeoffs and operational challenges

While promoting stronger methods, Edwards acknowledges several tradeoffs that organizations must weigh, beginning with user adoption and device availability. On one hand, passkeys and authenticators reduce phishing risk and long-term support costs, but on the other hand, they can require issuing hardware keys, updating identity policies, and helping users who lack compatible devices. Moreover, the video highlights scenarios such as lost keys or user churn, showing that recovery mechanisms and backup plans are essential to avoid lockouts and productivity losses.

To handle such failures, Edwards demonstrates issuing a TAP or temporary credential and explains the administrative steps to re-enroll users, which illustrates that recovery is manageable but not automatic. He also discusses the cost and logistics of distributing physical security keys at scale, suggesting that organizations must balance convenience against budget and procurement timelines. Finally, Edwards warns that legacy systems and programmatic access via APIs and CLI tools may need special policy work to support passwordless methods, so administrators should audit their environment before switching fully. In short, the benefits are clear but require careful planning and staged rollout.

Practical rollout tips and user support

Edwards offers concrete advice for administrators who want to move away from SMS, starting with an incremental rollout that pairs education with policy changes in Microsoft Entra. He recommends first enabling app-based authenticators and passkeys for high-risk users and admins, then expanding to standard users while monitoring support queues and authentication logs. Next, Edwards stresses the value of documentation, short training sessions, and clear recovery paths so users feel confident when their primary factor changes.

Additionally, the video shows how to test sign-in flows, register fallback methods, and log administrative actions to ensure compliance and traceability during the transition. Edwards also highlights timing considerations, advising teams to stagger enforcement to avoid coinciding with major business cycles or large hires. Ultimately, his guidance frames the migration as a people-centered project as much as a technical one, where communication and phased policies reduce friction and operational risk.

Conclusion

Jonathan Edwards’ video provides a clear, practical case for retiring SMS-based MFA in favor of app-based and FIDO2 passwordless methods, while also showing how to implement those changes in a Microsoft 365 environment. Moreover, the presentation balances security arguments with real-world deployment concerns, including lost keys, user resistance, and the need for fallback procedures. For organizations planning a shift, the video offers both a playbook and cautionary tales, making it a useful resource for security teams and administrators. Therefore, the most practical takeaway is to plan deliberately, communicate clearly, and use phased enforcement to gain the security benefits without disrupting users.

Keywords

stop using SMS MFA alternatives,phishing-resistant MFA solutions,passwordless authentication methods,FIDO2 security keys,authenticator apps vs SMS,secure multi-factor authentication alternatives,how to replace SMS MFA,hardware tokens for MFA