Security technology news fell on both ends of the surveillance spectrum. Microsoft confirmed in May 2026 that SMS two-factor authentication is being eliminated from all personal Microsoft accounts — permanently — by the end of 2026. The replacement is passkeys, the Microsoft Authenticator app, and verified email. Meanwhile, the FBI Directorate of Intelligence published a formal Request for Proposals on 14 May seeking nationwide, near-real-time access to automated license plate reader (ALPR) data, covering at least 75% of locations across the country. The bureau is willing to spend up to $36 million. Together, the two stories describe a week when security technology moved in two opposite directions simultaneously — one tightening the protection of personal accounts, the other proposing the most expansive vehicle surveillance programme in US history.
What’s Happening & Why It Matters
Microsoft Ends SMS 2FA: The Decision Is Final
Microsoft made the announcement on its Security Blog. The company stated its conclusion plainly. “SMS-based authentication is a leading source of fraud.” Starting immediately, new personal Microsoft accounts can no longer add SMS as a security method. Existing accounts lose SMS authentication entirely by the end of 2026. The phase-out affects hundreds of millions of users across Outlook.com, OneDrive, Xbox, Skype, and all consumer Microsoft 365 services. Microsoft set the full direction explicitly. “By moving to passwordless accounts, passkeys, and verified email, we’re helping you stay ahead of evolving threats while making account access simpler and more seamless.” That is not a security product update. It is an architectural shift in how identity works across the Windows ecosystem.
Why SMS Two-Factor Authentication Failed
The case against SMS 2FA has been building for years. The attack vectors are well-documented. SIM swapping allows a malicious actor to convince a mobile carrier to transfer a phone number to a new SIM — giving them access to every SMS code sent to that number. Social engineering exploits the same human factors that make phishing effective. SS7 protocol vulnerabilities — weaknesses in the ageing mobile network signalling infrastructure — allow sophisticated actors to intercept SMS messages without any interaction with the target. Beyond those active attacks, SMS authentication creates a specific failure mode when users change phone numbers, lose their devices, or travel internationally. Microsoft‘s own data shows that SMS-protected accounts experience 99.9% fewer automated attacks than those with only a password. That sounds reassuring. In practice, it means SMS still leaves a gap that modern passkeys close almost entirely.
What Replaces SMS: Passkeys and the Road Ahead
Microsoft is steering users toward three alternatives. Passkeys are the primary recommendation. A passkey is a FIDO2-based credential — stored on a device using Windows Hello PIN, fingerprint, or face recognition — that authenticates without transmitting a secret that can be stolen. Passkeys are phishing-resistant by design. The credential binds to a specific website, so it cannot be used on a spoofed lookalike. They sync across devices via the Microsoft account — a feature added in the Windows 24H2 release. The second alternative is the Microsoft Authenticator app — which generates time-based one-time passwords locally rather than receiving them via SMS. The third is a verified secondary email address — a less secure option than passkeys, but meaningfully stronger than SMS.
Users who ignore the transition prompts face a specific risk. Anyone who relied on SMS as their only second factor and did not set up an alternative before the deadline will lose the ability to sign in with a password. They will then face a manual identity verification process using account recovery forms — a more laborious process than simply enrolling in a passkey.
The FBI’s License Plate Reader Request: A Nation-Wide Surveillance Network
On 14 May 2026, the FBI Directorate of Intelligence published a formal Request for Proposals seeking nationwide access to automated license plate reader (ALPR) data. The scale of what the bureau is requesting is substantial. The winning contractor must maintain a database of at least 30 billion records spanning a five-year period. It must cover 75% of US locations. It must be capable of providing data “in near real time” — with alerts arriving within two minutes of a target vehicle appearing on a camera. The bureau is willing to award the contract to one vendor or several — splitting the country into six regions if needed. The estimated value of the contract is up to $36 million.
The FBI’s own statement of need directly describes the purpose. “To evaluate and manage threats to personal safety, property, and law enforcement, the FBI requires professional service firms that can provide License Plate Readers for tracking subjects on roads and highways over the US and its territories.”
What ALPR Data Actually Captures
Automated license plate readers are cameras mounted on roadsides, bridges, toll plazas, patrol cars, and parking facilities. They combine high-speed cameras with optical character recognition to capture every license plate that passes within view. Modern systems can record up to 1,800 license plates per minute. Each scan creates a timestamped record of a specific vehicle at a specific location. The Electronic Frontier Foundation noted that the Los Angeles Police Department had collected more than 160 million location data points by 2012 alone. Today’s AI-enhanced systems go further — identifying dents, bumper stickers, and rideshare logos to create unique vehicle fingerprints. The result is a continuously growing record of where every tracked vehicle has been, extending back for months or years.
At national scale and retained for five years, that data reveals sensitive movement patterns without any individual suspicion or judicial authorization. A vehicle’s location history can show visits to medical clinics, places of worship, political meetings, reproductive health services, or private residences. Privacy advocates have long argued that constitutes mass surveillance — regardless of whether any individual vehicle is under investigation.
The Constitutional and Privacy Concerns
The FBI‘s request bypasses a fundamental Fourth Amendment question by purchasing commercial access rather than building its own collection infrastructure. The legal mechanism is the third-party doctrine — the position that information shared with a third party carries no reasonable expectation of privacy. Privacy advocates, including the Electronic Frontier Foundation and the ACLU, have argued for years that the third-party doctrine should not apply to comprehensive, scale-wide location tracking. The Supreme Court’s 2018 ruling in Carpenter v. United States suggested limits on warrantless cell phone location tracking — but ALPR data sits in legal grey territory that no definitive ruling has yet resolved.
Senator Ron Wyden (D-Oregon) has previously raised concerns about Flock Safety — the dominant ALPR vendor — providing federal agencies with access through pilot programmes that bypass formal contracting. Flock confirmed it ran a pilot providing access to Customs and Border Protection, Homeland Security Investigations, the Secret Service, and the Naval Criminal Investigative Service. Flock says it does not work with ICE and that federal data sharing is disabled by default for local law enforcement users. State laws add further complications. California bars state and local agencies from sharing plate camera data with federal law enforcement. Virginia passed a similar restriction last year. The FBI’s RFP specifically requires contractors to identify where their data servers are located — to verify compliance with those state laws. That provision is itself an acknowledgement that the surveillance network it proposes will operate across a complex legal patchwork.
Two Stories, One Week, Two Directions
The contrast between Microsoft‘s passkey move and the FBI‘s ALPR request is not incidental. Both reflect the same underlying dynamic. Security technology is becoming more powerful. The question is always who it protects — and who it monitors. Microsoft‘s decision protects individual users from fraud by improving the authentication layer they control. The FBI‘s request builds surveillance infrastructure that individual citizens cannot opt out of. One story gives people more control over their own digital identity. The other proposes tracking their physical movements at a national scale without a warrant.
TF Summary: What’s Next
Microsoft users should act immediately — setting up a passkey, downloading Microsoft Authenticator, and verifying a secondary email address before the SMS deadline. The Microsoft Account settings page includes a security readiness checker. SMS codes are active for existing accounts until the end of 2026. Users who do not take action will face manual account recovery when the phase-out completes.
MY FORECAST: Security technology news defines two trajectories for 2026 and beyond. Microsoft’s passkey migration will succeed — not because users proactively switch, but because the company will force the transition. By Q1 2027, most personal Microsoft accounts will operate without SMS authentication. The user experience improvement will outweigh the transition friction for most people. The FBI‘s ALPR contract will be awarded — almost certainly to Flock Safety and Motorola Solutions. Privacy lawsuits will follow within months of the contract’s activation. The critical legal question — whether near-real-time nationwide vehicle tracking at scale requires a warrant under Carpenter — will reach a federal appeals court within 24 months. The outcome of that case will determine whether the FBI‘s $36 million investment is permanent national infrastructure or a short-lived pilot.