Microsoft announced that passkeys will become the default authentication method for Entra ID enterprise identity services starting September 2026. SMS and voice‑based multi‑factor authentication will be retired on February 1, 2027, prompting organizations to shift to phishing‑resistant solutions.

Key Takeaways

  • Passkeys become the default authentication for Entra ID in September 2026.
  • SMS and voice authentication will be discontinued on February 1, 2027.
  • Enterprises are urged to adopt phishing‑resistant, password‑less methods now.

Passkeys as the New Standard of Identity Security

Microsoft has officially declared that Microsoft Entra ID will switch to passkeys as the default authentication mechanism beginning September 2026. Users currently relying on phone‑based SMS or voice MFA will be automatically upgraded; the next time they perform multi‑factor authentication they will be prompted to register a passkey. This move aligns Entra ID with the industry‑wide shift toward password‑less, phishing‑resistant authentication.

Phase‑out of SMS/Voice Authentication

Effective February 1, 2027, Microsoft will retire its native SMS and voice delivery services for MFA. After this date, no tenant will be able to use these legacy channels, eliminating a common attack vector. Administrators holding Global Reader, Authentication Policy Administrator, or Security Reader roles can run the “Entra SMS/Voice Policy Scanner” PowerShell script to identify users still dependent on telephony‑based factors.

Third‑Party Telecom Integration via Microsoft Security Store

Organizations that, for regulatory or operational reasons, must retain phone‑based authentication will need to configure third‑party telecom providers through the Microsoft Security Store. Microsoft’s documentation provides step‑by‑step guidance for deploying passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, and other phishing‑resistant methods.

Escalating Threat Landscape and AI‑Driven Phishing

Threat intelligence reports show a dramatic surge in AI‑enabled phishing campaigns, with click‑through rates soaring to 54% compared with roughly 12% for traditional attacks. Groups such as ShinyHunters have recently targeted Microsoft Entra single sign‑on (SSO) accounts in large‑scale SaaS data‑theft operations. By making passkeys the default, Microsoft aims to cut the attack surface that relies on “phishable” second factors.

Recommendations for Enterprises

Enterprises should prioritize migrating every user to a phishing‑resistant authentication method before the February 2027 deadline to avoid sign‑in disruptions. Security teams are also encouraged to adopt breach‑and‑attack simulation (BAS) tools to validate that SIEM and EDR rules detect credential‑theft attempts early, as only 14% of successful attacks generate alerts today.