Microsoft Entra ID Adopts Passkeys as Default Authentication

Microsoft is set to phase out traditional SMS and voice-based multifactor authentication (MFA) methods in its Entra ID platform, transitioning to passkeys as the default sign-in method starting September 1, 2026. This strategic shift aims to bolster security in response to a significant rise in AI-driven phishing attacks, which have demonstrated click-through rates up to 54%, a stark increase from the approximately 12% observed in conventional phishing attempts.

Transition Timeline and Key Milestones

The transition to passkeys will unfold through several critical phases:

  • September 1, 2026: Users currently utilizing SMS or voice authentication will be automatically enrolled in passkeys. Upon their next MFA sign-in, they will receive prompts to register for passkeys.
  • September 18, 2026: Microsoft will release detailed information regarding pricing, commercial terms, and a list of supported telecom providers via the Microsoft Security Store.
  • October 30, 2026: Administrators will have the capability to select and configure third-party telecom providers for organizations that still necessitate SMS or voice authentication.
  • February 1, 2027: Microsoft will cease its native SMS and voice authentication delivery services entirely.
  • Post-February 1, 2027: Passkey registration prompts will become mandatory for all users across all tenants, with no option to opt out.

Advantages of Passkeys Over Traditional MFA Methods

Passkeys utilize public-key cryptography, eliminating the need for shared secrets and rendering them inherently resistant to phishing attacks. In contrast, SMS and voice codes are susceptible to interception through methods like SIM swapping and social engineering. The advent of AI-powered attackers has expedited the processes of discovery, privilege escalation, and lateral movement following the compromise of phishable credentials, underscoring the urgency of adopting more secure authentication methods.

Microsoft reports that it has already achieved phishing-resistant authentication coverage for 99.6% of its internal users and devices by eliminating legacy authentication methods. Entra ID supports both synced passkeys, stored in platform credential managers such as iCloud Keychain and Google Password Manager, and device-bound passkeys, including Microsoft Authenticator, Entra passkey on Windows, and FIDO2 security keys. This dual support offers organizations flexibility in deployment based on their specific needs.

Regulatory Implications and Recommendations for Organizations

Regulatory frameworks, such as the NIS2 compliance requirements in the European Union, are increasingly mandating passwordless authentication solutions. Despite the availability of passkeys for over a year, voluntary adoption has been sluggish, prompting regulatory bodies to enforce stricter compliance measures.

Organizations with legitimate regulatory or technical requirements to retain SMS or voice authentication can establish direct contracts with supported telecom carriers through the Microsoft Security Store starting October 30, 2026. However, they will be responsible for the associated telecom costs.

Microsoft advises organizations to proactively prepare for this transition by:

  • Auditing current authentication policies to identify users and groups still relying on SMS or voice MFA.
  • Enabling passkey support and selecting between synced or device-bound types based on user devices and workflows.

By initiating these steps promptly, organizations can ensure a seamless transition to more secure authentication methods, thereby enhancing their overall security posture.

The move to passkeys represents a significant advancement in authentication security, addressing the vulnerabilities associated with traditional MFA methods. As cyber threats continue to evolve, adopting robust, phishing-resistant authentication mechanisms like passkeys is crucial for safeguarding organizational assets and maintaining compliance with emerging regulatory standards.