Updated
Updated · Microsoft · Jul 13
Microsoft Entra ID Defaults to Passkeys by Sept. 1, 2026, Ends SMS and Voice by Feb. 1, 2027
Updated
Updated · Microsoft · Jul 13

Microsoft Entra ID Defaults to Passkeys by Sept. 1, 2026, Ends SMS and Voice by Feb. 1, 2027

3 articles · Updated · Microsoft · Jul 13

Summary

  • Sept. 1, 2026 marks the start of Microsoft Entra ID’s rollout of passkeys as the default sign-in method, with users currently enabled for SMS or voice automatically prompted to register one at their next MFA check.
  • Feb. 1, 2027 is the cutoff for Microsoft-provided SMS and voice authentication in Entra ID, pushing organizations that still need those methods to buy third-party telecom support through the Microsoft Security Store.
  • 54% click-through rates in AI-enabled phishing campaigns—versus about 12% in traditional ones—help explain the shift, as Microsoft says passkeys’ public-key cryptography resists phishing, SIM swapping and MFA bypass better than shared-secret methods.
  • Sept. 18, 2026 brings provider lists and pricing, and Oct. 30, 2026 lets admins configure supported telecom partners; after Feb. 1, 2027, passkey registration prompts become mandatory for remaining SMS or voice users with no opt-out.
  • Public-cloud Entra ID tenants are first in scope, while other cloud environments will move on a separate timeline that Microsoft says it will announce later.

Insights

Is Microsoft's move to retire native SMS authentication a vital security upgrade or a hidden cost for millions of businesses?
As passkeys replace passwords, what is the new weakest link for hackers and how will users recover accounts if their devices are lost?
Passkeys stop phishing but not session hijacking. Is this mandatory security shift just moving the goalposts for cybercriminals?

Countdown to 2027: Microsoft Entra ID’s Move to Passkeys and the End of SMS/Voice Authentication

Overview

Microsoft has announced that passkeys will become the default authentication method for Microsoft Entra ID, marking a major shift in its security strategy. This move is designed to enhance both security and user experience, as passkeys are easier for users and much harder for attackers to compromise. Microsoft is rolling out this change with a clear migration plan, including set timelines, fallback options, and strong account recovery processes. The goal is to ensure organizations can transition smoothly from older, less secure methods like SMS and voice authentication, while benefiting from the advanced protection that passkeys provide.

...