VYPR
advisoryPublished Jul 13, 2026· 1 source

Microsoft Entra ID Mandates Passkeys as Default Authentication, Phasing Out SMS/Voice

Microsoft Entra ID will make passkeys the default authentication method starting September 1, 2026, and retire native SMS/voice support by February 1, 2027, to combat AI-driven identity attacks.

Microsoft is significantly overhauling its authentication strategy for Microsoft Entra ID, announcing that passkeys will become the default phishing-resistant authentication method for all users starting September 1, 2026. This move is a direct response to the escalating sophistication of identity-based attacks, particularly those amplified by artificial intelligence. The company aims to steer organizations away from vulnerable methods like SMS and voice calls, which are increasingly susceptible to interception, phishing, and social engineering.

As the rollout progresses, users currently authenticated via SMS or voice will be prompted to register a passkey during their next multifactor authentication process. This transition is designed to be seamless for most users, leveraging public-key cryptography inherent in passkeys to provide a more secure and user-friendly sign-in experience. Microsoft highlights that AI-enabled phishing campaigns have shown dramatically higher click-through rates compared to traditional methods, underscoring the urgent need for stronger, phishing-resistant authentication.

Beyond encouraging passkey adoption, Microsoft is also setting a firm deadline for its native SMS and voice authentication capabilities. On February 1, 2027, these methods will be retired from Microsoft Entra ID. Organizations that still have a business, regulatory, or technical requirement for SMS or voice authentication will need to contract with third-party telecom partners, available through the Microsoft Security Store. Microsoft will provide guidance on supported providers, pricing, and deployment on September 18, 2026.

The rationale behind this aggressive shift lies in the evolving threat landscape. AI is not only enhancing the scale and speed of attacks but also making sophisticated techniques like SIM swapping and multifactor authentication bypass more accessible to threat actors. By defaulting to passkeys, Microsoft seeks to build a more resilient identity infrastructure, reducing the attack surface for credential theft and unauthorized access.

To facilitate this transition, Microsoft is providing resources and guidance for organizations. This includes identifying users who currently rely on SMS or voice, planning passkey rollout strategies, and preparing user communications. The company supports various passkey types, including synced passkeys (e.g., iCloud Keychain, Google Password Manager) and device-bound passkeys (e.g., Microsoft Authenticator, FIDO2 security keys).

Organizations are strongly advised to begin planning their migration immediately. This involves reviewing current authentication policies, enabling passkeys, and potentially running registration campaigns to drive user adoption. For those needing to retain SMS or voice capabilities, the process involves selecting and configuring a supported telecom provider through the Microsoft Security Store, with testing recommended before a broad rollout.

The timeline is clear: by September 1, 2026, all users enabled for SMS or voice will be nudged towards passkey registration. By September 18, 2026, details on third-party telecom providers will be available. The retirement of native SMS and voice support on February 1, 2027, marks a definitive end to these legacy authentication methods within Entra ID, pushing organizations towards a more secure, passwordless future.

This strategic pivot by Microsoft underscores the growing importance of phishing-resistant authentication in an era of advanced AI-driven cyber threats. The move away from easily compromised methods like SMS and voice is a critical step in bolstering the security posture of millions of users and organizations relying on Microsoft Entra ID.

Synthesized by Vypr AI