Updated
Updated · Computerworld · Jul 15
Microsoft Makes Passkeys Default in Entra ID by Sept. 2026, Ends SMS MFA by Feb. 2027
Updated
Updated · Computerworld · Jul 15

Microsoft Makes Passkeys Default in Entra ID by Sept. 2026, Ends SMS MFA by Feb. 2027

3 articles · Updated · Computerworld · Jul 15

Summary

  • September 1, 2026 marks the start of Microsoft’s Entra ID shift to passkeys by default, with SMS- or voice-enabled users automatically prompted to register one during MFA sign-in.
  • February 1, 2027 is the cutoff for Microsoft-provided SMS and voice authentication in public-cloud Entra ID, leaving no opt-out; organizations that still need those methods must arrange supported telecom providers and bear the costs.
  • Microsoft and security experts say the change targets AI-amplified phishing and credential theft, because passkeys rely on device possession plus biometrics or a PIN instead of shared secrets that can be intercepted.
  • September 18 and October 30, 2026 are key transition dates for pricing, provider lists and enterprise configuration, while other cloud environments will move on a separate timeline.
  • Enterprises are being told to identify users still on SMS or voice, deploy synced or device-bound passkeys and tighten device management, conditional access and monitoring because passkeys do not stop endpoint compromise or token theft.

Insights

As Microsoft mandates passkeys, are we just swapping vulnerable passwords for equally vulnerable personal devices?
If passkeys neutralize phishing, what will become the next dominant threat to our digital identities?

Microsoft Entra ID’s Move to Passkeys by 2027: What Organizations Need to Know About the End of SMS and Voice MFA

Overview

Microsoft is making a major change by moving away from traditional SMS and voice-based multifactor authentication (MFA) for Entra ID, as these older methods have become too vulnerable in today’s threat landscape. Instead, Microsoft is shifting towards more secure, phishing-resistant options like passkeys. By February 1, 2027, users must switch to these new methods, as SMS and voice will no longer be supported. Organizations are strongly encouraged to prepare for this transition now to avoid disruptions, ensuring all users adopt stronger authentication and stay protected against evolving security threats.

...