Microsoft Changes Entra ID default Authentication Method to Passkeys, Replacing Passwords

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Microsoft is retiring phishable SMS and voice-based multifactor authentication in Microsoft Entra ID, replacing them with passkeys as the default sign-in method starting September 1, 2026.

The move responds to a surge in AI-enabled phishing campaigns that Microsoft Threat Intelligence has observed achieving click-through rates as high as 54%, compared to roughly 12% for traditional phishing attempts.

Beginning September 1, 2026, users currently enabled for SMS or voice authentication will be automatically enrolled in passkeys, receiving a registration prompt the next time they perform multifactor authentication.

Entra ID default Authentication Passkeys

Microsoft’s rollout plan is structured around several key milestones:

  • September 1, 2026: Auto-enablement and passkey nudges begin for all SMS/voice users during MFA sign-in.
  • September 18, 2026: Microsoft publishes pricing, commercial terms, and supported telecom provider lists via the Microsoft Security Store.
  • October 30, 2026: Admins can select and configure third-party telecom providers for organizations that still require SMS or voice.
  • February 1, 2027: Microsoft-provided native SMS and voice authentication delivery ends entirely.
  • After February 1, 2027: Passkey registration prompts become mandatory for all users in all tenants with no opt-out.

This builds on earlier passwordless momentum, including the March 2026 rollout of passkey profiles as the default sign-in configuration for enterprise tenants and May 2026’s expansion of system-preferred authentication to cover first-factor sign-in globally.

Passkeys rely on public-key cryptography rather than shared secrets, making them inherently phishing-resistant, unlike SMS and voice codes that attackers can intercept via SIM swapping or social engineering.

Microsoft argues that AI-powered attackers can now automate discovery, privilege escalation, and lateral movement far faster once they compromise a phishable credential, elevating the urgency of eliminating weak second factors.

Internally, Microsoft claims it has already achieved phishing-resistant authentication coverage across 99.6% of its own users and devices by eliminating legacy methods.

Entra ID supports both synced passkeys (stored in platform credential managers like iCloud Keychain and Google Password Manager) and device-bound passkeys (Microsoft Authenticator, Entra passkey on Windows, and FIDO2 security keys), giving organizations flexibility in deployment.

Regulatory drivers are compounding this shift; analysts note that NIS2 compliance requirements in the EU are pushing organizations toward mandatory passwordless authentication after voluntary adoption stalled despite passkeys being available for over a year.

Organizations with legitimate regulatory or technical needs to retain SMS or voice can contract directly with supported telecom carriers through the Microsoft Security Store starting October 30, 2026, though they will bear the associated telecom costs.

Microsoft recommends organizations act immediately rather than waiting for the automatic rollout:

  • Audit authentication policies to identify users and groups still relying on SMS or voice MFA.
  • Enable passkey support and choose synced or device-bound types based on user devices and workflows.
  • Use Entra ID’s registration campaign feature to drive passkey adoption at scale during MFA sign-in.
  • Communicate proactively with affected users about upcoming registration prompts and sign-in changes.
  • Pilot any retained telecom provider configuration before broad rollout if SMS/voice remains a regulatory necessity.

Note that this timeline applies specifically to Microsoft Entra ID in the public cloud; government cloud environments (GCC, GCC High, DoD) will follow separate timelines to be announced later.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

The post Microsoft Changes Entra ID default Authentication Method to Passkeys, Replacing Passwords appeared first on Cyber Security News.