As identification assaults develop extra refined within the AI period, organizations want stronger authentication strategies that shield customers from phishing, credential theft, and social engineering. To deal with these evolving threats, Microsoft Entra ID is updating its authentication expertise by making passkeys the default phishing-resistant authentication technique, serving to prospects scale back reliance on phishable strategies corresponding to SMS and voice.
Starting September 1, 2026, Microsoft will start rolling out passkeys because the default authentication expertise in Microsoft Entra ID. Because the rollout reaches every group, customers enabled for SMS or voice authentication will robotically be enabled for passkeys, and the following time they carry out multifactor authentication, they’ll be prompted to register a passkey.
Following this transition, on February 1, 2027, Microsoft will retire Microsoft-provided telecom supply for SMS and voice authentication and can not supply SMS and voice as a local Microsoft Entra functionality. Organizations that also require SMS or voice authentication strategies can have the choice to decide on one in every of our telecom companions by way of the Microsoft Safety Retailer. Clients will probably be chargeable for any related telecom-related prices charged by the telecom companions.
We strongly suggest transferring customers to passkeys or one other phishing-resistant authentication technique as quickly as potential.
Why stronger authentication issues within the AI period
Authentication strategies that use SMS or voice depend on shared secrets and techniques or channels that attackers more and more intercept, phish, or manipulate. Passkeys use public-key cryptography relatively than shared secrets and techniques, making them phishing-resistant by design. Additionally they present a sooner, less complicated sign-in expertise for customers.
The case for transferring past SMS and voice is not simply that attackers intercept or socially engineer these strategies. The menace surroundings has modified in pace, scale, and class. Microsoft Menace Intelligence has noticed AI-enabled phishing campaigns reaching click-through charges as excessive as 54%, in contrast with roughly 12% for extra conventional campaigns, making stolen passwords and phishable second components an pressing danger.1 On the similar time, ways corresponding to SIM swapping and multifactor authentication bypass have grow to be extra accessible and repeatable.
An AI-powered cyberattack can use a compromised identification to automate discovery, privilege escalation, and lateral motion a lot sooner than a human attacker working manually. For this reason phishing-resistant authentication strategies are so necessary.
By making passkeys the default authentication expertise, organizations scale back reliance on phishable authentication strategies and strengthen safety in opposition to credential theft and phishing.
In the present day, Microsoft supplies the telecom supply behind SMS and voice authentication natively inside Entra ID. As a part of this transition, we’ll step again from offering that native telecom supply to encourage phishing-resistant strategies as the usual for everybody.
For many organizations, the advisable path is easy: transfer customers to passkeys at no further value.
When you’ve got a regulatory, technical, or enterprise requirement to maintain SMS or voice, you’ll be capable to choose, configure, and handle a third-party telecom supplier by way of the Microsoft Safety Retailer—a companion market the place you may contract instantly with supported carriers.
On September 18, 2026, we’ll share data on supported suppliers, deployment steering, and technical documentation with pricing and industrial phrases accessible by way of the Microsoft Safety Retailer.
Find out how to put together
Begin planning your transition now so you may choose the deployment strategy that most closely fits your group and guarantee your customers are ready for upcoming adjustments to their sign-in expertise.
- Establish customers who nonetheless use SMS or voice. Assessment your authentication technique coverage and establish which customers or teams are enabled for SMS or voice authentication.
- Plan your passkey rollout. Allow passkeys and choose the kinds that finest suit your customers’ gadgets and workflows. Microsoft Entra ID helps:
- Synced passkeys, corresponding to passkeys saved in platform credential managers like iCloud Keychain and Google Password Supervisor.
- Gadget-bound passkeys, corresponding to Microsoft Authenticator passkeys, Entra passkey on Home windows, and FIDO2 safety keys.
- Use registration marketing campaign to drive adoption. Microsoft Entra ID may also help organizations transfer customers at scale by prompting them to register a passkey throughout multifactor authentication sign-in.
- Put together person communications. Inform affected customers what’s altering, once they’ll see a passkey registration immediate, and how one can full registration on their gadget.
For step-by-step steering on planning, deploying, and managing passkeys, see our Microsoft Be taught documentation and passkey deployment information.
If regulated, technical, or operational situations nonetheless require SMS or voice:
- Establish and doc affected person segments.
- Beginning October 30, 2026, choose and configure a supported telecom supplier by way of the Microsoft Safety Retailer.
- Check your configuration with a pilot group earlier than any broad rollout.
Timeline
| Date | Milestone |
|---|---|
| September 1, 2026 | All customers enabled for SMS or voice are auto-enabled and nudged for passkey registration upon multifactor authentication sign-in.
Use the passkey deployment information to organize your surroundings for passkey use. Notify affected customers in regards to the upcoming change. Guarantee each person has a phishing-resistant authentication technique, corresponding to a passkey, Entra passkeys on Home windows, or a FIDO2 safety key. |
| September 18, 2026 | Pricing, industrial phrases, and a listing of supported telecom suppliers will probably be shared.
In the event you plan to proceed utilizing SMS or voice authentication, evaluate the accessible supplier choices and establish affected customers. |
| October 30, 2026 | Admins might choose and configure a supported telecom supplier by way of the Microsoft Safety Retailer. |
| February 1, 2027 | Microsoft-provided SMS and voice authentication ends.
If SMS or voice stays vital for particular customers, configure a supported telecom supplier earlier than this date. |
| After February 1, 2027 | Customers who use SMS or voice for multifactor authentication will probably be required to register a passkey earlier than they will register. Automated prompts to register a passkey will probably be enforced for all customers in all tenants. There will probably be no opt-out choice. |
Notice: The dates outlined on this submit apply to Microsoft Entra ID within the public cloud solely. Help for different cloud environments will observe on a separate timeline, with further steering and dates to be introduced prematurely.
SMS and voice have served their goal nicely, bringing multifactor authentication to billions of customers who in any other case would have had none. However the menace surroundings has advanced past their capabilities, and we have to evolve with it.
We’re making passkeys the default in Entra ID as a result of they work higher for customers and worse for cyberattackers. We’re attempting to make this transition as predictable as potential with clear dates, fallback choices throughout migration, and restoration that doesn’t rely on phishable credentials anymore.
Be taught extra at aka.ms/passkeybydefault
To study extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our knowledgeable protection on safety issues. Additionally, observe us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the most recent information and updates on cybersecurity.


Leave a Reply