Microsoft Entra ID Security Update: Passkeys Become the Default
Microsoft is making passkeys the default phishing-resistant authentication method in Microsoft Entra ID, phasing out native SMS and voice authentication to combat increasingly sophisticated, AI-driven identity attacks.
Key Changes and Timeline
-
September 1, 2026: Passkeys become the default authentication experience. Users currently relying on SMS or voice will automatically be prompted to register a passkey during their next multifactor authentication sign-in.
-
September 18, 2026: Microsoft will release details, pricing, and deployment guidance for supported third-party telecom providers via the Microsoft Security Store.
-
October 30, 2026: Administrators can begin selecting and configuring a third-party telecom provider if their organization still has a strict requirement for SMS or voice authentication.
-
February 1, 2027: Microsoft will officially retire its native telecom delivery for SMS and voice. Organizations still utilizing these methods must transition to a third-party partner and absorb the associated telecom costs. Users attempting to use SMS or voice without a configured provider will be forced to register a passkey with no opt-out available.
The Case for Passkeys
Traditional authentication methods like SMS and voice rely on channels that are highly vulnerable to interception, SIM swapping, and MFA bypass. With AI-enabled phishing campaigns now achieving click-through rates as high as 54%, phishable second factors present an urgent security risk.
Passkeys replace shared secrets with public-key cryptography. This architecture is phishing-resistant by design, neutralizes the threat of credential theft, and provides a faster, more streamlined user sign-in experience.
Preparation Strategy
Organizations should take immediate steps to prepare for the transition:
-
Identify all users and groups currently authenticating via SMS or voice.
-
Design a passkey rollout plan. Entra ID supports synced passkeys (e.g., iCloud Keychain, Google Password Manager) and device-bound passkeys (e.g., Microsoft Authenticator, Windows Hello, FIDO2 security keys).
-
Deploy registration campaigns to automate passkey adoption prompts during user sign-in.
-
Communicate the upcoming changes to affected users.
-
If SMS or voice remains a strict technical or regulatory requirement, identify the affected user segments and prepare to integrate a supported third-party telecom provider before the February 2027 deadline.
