Starting September 2026, Microsoft Entra ID will replace SMS and voice authentication with passkeys as the default method. This transition aims to enhance security against credential theft and phishing attacks, as SMS and voice authentication will be retired in February 2027.
Microsoft has announced that passkeys will become the default authentication method for Entra ID, its enterprise identity service, starting in September 2026. This shift will automatically enable passkeys for users currently using SMS and voice authentication, which will be phased out by February 2027.
Users who already utilize passkeys, Windows Hello for Business, FIDO2 security keys, or smart cards can continue their existing methods. When the rollout occurs, affected users will be prompted to register a passkey the next time they perform multifactor authentication.
Microsoft has stated that on February 1, 2027, they will cease to support SMS and voice delivery as part of the Entra capabilities. Organizations are encouraged to transition to phishing-resistant methods to avoid disruptions in sign-ins.
Admins can identify users still employing SMS or voice authentication through the Entra SMS/Voice Policy Scanner PowerShell script. Organizations that need to maintain phone-based authentication must arrange for third-party telecom services. Microsoft has also provided documentation to assist in migrating to these new systems.
The change is part of a broader strategy to combat identity theft, particularly as AI-enabled phishing attacks have dramatically increased in effectiveness. Microsoft reports that such attacks have click-through rates of 54%, making the shift to passkeys crucial for enhancing account security. By reducing reliance on easily phished methods, organizations can better protect against these threats.
β¨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β check the original sources. How BrevFeed works β
Starting September 2026, Microsoft Entra ID will replace SMS and voice authentication with passkeys as the default method. This transition aims to enhance security against credential theft and phishing attacks, as SMS and voice authentication will be retired in February 2027.