← All stories
● Covered by 1 source Β· 1 reportHigh impact

Microsoft Entra ID adopts passkeys as default authentication by September 2026

Aggregated by BrevFeed security Β· updated 15h ago
πŸ”– Save

Starting September 2026, Microsoft Entra ID will replace SMS and voice authentication with passkeys as the default method. This transition aims to enhance security against credential theft and phishing attacks, as SMS and voice authentication will be retired in February 2027.

Key points

Introduction of Passkeys in Entra ID

Microsoft has announced that passkeys will become the default authentication method for Entra ID, its enterprise identity service, starting in September 2026. This shift will automatically enable passkeys for users currently using SMS and voice authentication, which will be phased out by February 2027.

Transition Details

Users who already utilize passkeys, Windows Hello for Business, FIDO2 security keys, or smart cards can continue their existing methods. When the rollout occurs, affected users will be prompted to register a passkey the next time they perform multifactor authentication.

Phasing Out SMS and Voice Authentication

Microsoft has stated that on February 1, 2027, they will cease to support SMS and voice delivery as part of the Entra capabilities. Organizations are encouraged to transition to phishing-resistant methods to avoid disruptions in sign-ins.

Guidance for Organizations

Admins can identify users still employing SMS or voice authentication through the Entra SMS/Voice Policy Scanner PowerShell script. Organizations that need to maintain phone-based authentication must arrange for third-party telecom services. Microsoft has also provided documentation to assist in migrating to these new systems.

Security Implications

The change is part of a broader strategy to combat identity theft, particularly as AI-enabled phishing attacks have dramatically increased in effectiveness. Microsoft reports that such attacks have click-through rates of 54%, making the shift to passkeys crucial for enhancing account security. By reducing reliance on easily phished methods, organizations can better protect against these threats.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub microsoft/entra-sms-voice-usage-analyzer

Reporting from

Starting September 2026, Microsoft Entra ID will replace SMS and voice authentication with passkeys as the default method. This transition aims to enhance security against credential theft and phishing attacks, as SMS and voice authentication will be retired in February 2027.