As identification assaults develop extra refined within the AI period, organizations want stronger authentication strategies that defend customers from phishing, credential theft, and social engineering. To deal with these evolving threats, Microsoft Entra ID is updating its authentication expertise by making passkeys the default phishing-resistant authentication methodology, serving to prospects scale back reliance on phishable strategies resembling SMS and voice.
Starting September 1, 2026, Microsoft will start rolling out passkeys because the default authentication expertise in Microsoft Entra ID. Because the rollout reaches every group, customers enabled for SMS or voice authentication will mechanically be enabled for passkeys, and the following time they carry out multifactor authentication, they’ll be prompted to register a passkey.
Following this transition, on February 1, 2027, Microsoft will retire Microsoft-provided telecom supply for SMS and voice authentication and can not provide SMS and voice as a local Microsoft Entra functionality. Organizations that also require SMS or voice authentication strategies may have the choice to decide on one in all our telecom companions via the Microsoft Safety Retailer. Prospects will probably be answerable for any related telecom-related prices charged by the telecom companions.
We strongly advocate shifting customers to passkeys or one other phishing-resistant authentication methodology as quickly as doable.
Why stronger authentication issues within the AI period
Authentication strategies that use SMS or voice depend on shared secrets and techniques or channels that attackers more and more intercept, phish, or manipulate. Passkeys use public-key cryptography reasonably than shared secrets and techniques, making them phishing-resistant by design. Additionally they present a sooner, less complicated sign-in expertise for customers.
The case for shifting past SMS and voice is not simply that attackers intercept or socially engineer these strategies. The menace surroundings has modified in velocity, scale, and class. Microsoft Risk Intelligence has noticed AI-enabled phishing campaigns reaching click-through charges as excessive as 54%, in contrast with roughly 12% for extra conventional campaigns, making stolen passwords and phishable second elements an pressing danger.1 On the identical time, techniques resembling SIM swapping and multifactor authentication bypass have grow to be extra accessible and repeatable.
An AI-powered cyberattack can use a compromised identification to automate discovery, privilege escalation, and lateral motion a lot sooner than a human attacker working manually. This is the reason phishing-resistant authentication strategies are so vital.
By making passkeys the default authentication expertise, organizations scale back reliance on phishable authentication strategies and strengthen safety in opposition to credential theft and phishing.
Right now, Microsoft supplies the telecom supply behind SMS and voice authentication natively inside Entra ID. As a part of this transition, we’ll step again from offering that native telecom supply to encourage phishing-resistant strategies as the usual for everybody.
For many organizations, the really helpful path is straightforward: transfer customers to passkeys at no extra value. Â
When you’ve got a regulatory, technical, or enterprise requirement to maintain SMS or voice, you’ll have the ability to choose, configure, and handle a third-party telecom supplier via the Microsoft Safety Retailer—a associate market the place you may contract straight with supported carriers.Â
On September 18, 2026, we’ll share data on supported suppliers, deployment steerage, and technical documentation with pricing and industrial phrases obtainable via the Microsoft Safety Retailer.
The right way to put together
Begin planning your transition now so you may choose the deployment strategy that most closely fits your group and guarantee your customers are ready for upcoming adjustments to their sign-in expertise.
- Establish customers who nonetheless use SMS or voice. Overview your authentication methodology coverage and establish which customers or teams are enabled for SMS or voice authentication.
- Plan your passkey rollout. Allow passkeys and choose the kinds that greatest suit your customers’ gadgets and workflows. Microsoft Entra ID helps:
- Synced passkeys, resembling passkeys saved in platform credential managers like iCloud Keychain and Google Password Supervisor.
- Machine-bound passkeys, resembling Microsoft Authenticator passkeys, Entra passkey on Home windows, and FIDO2 safety keys.
- Use registration marketing campaign to drive adoption. Microsoft Entra ID will help organizations transfer customers at scale by prompting them to register a passkey throughout multifactor authentication sign-in.
- Put together person communications. Inform affected customers what’s altering, once they’ll see a passkey registration immediate, and how one can full registration on their machine.
For step-by-step steerage on planning, deploying, and managing passkeys, see our Microsoft Be taught documentation and passkey deployment information.Â
If regulated, technical, or operational eventualities nonetheless require SMS or voice:
- Establish and doc affected person segments.
- Beginning October 30, 2026, choose and configure a supported telecom supplier via the Microsoft Safety Retailer.
- Take a look at your configuration with a pilot group earlier than any broad rollout.
Timeline
| Date | Milestone |
|---|---|
| September 1, 2026Â | All customers enabled for SMS or voice are auto-enabled and nudged for passkey registration upon multifactor authentication sign-in.
Use the passkey deployment information to organize your surroundings for passkey use. Notify affected customers concerning the upcoming change. Guarantee each person has a phishing-resistant authentication methodology, resembling a passkey, Entra passkeys on Home windows, or a FIDO2 safety key. |
| September 18, 2026Â | Pricing, industrial phrases, and a listing of supported telecom suppliers will probably be shared.
In case you plan to proceed utilizing SMS or voice authentication, overview the obtainable supplier choices and establish affected customers. |
| October 30, 2026 | Admins might choose and configure a supported telecom supplier via the Microsoft Safety Retailer. |
| February 1, 2027 | Microsoft-provided SMS and voice authentication ends. Â
If SMS or voice stays essential for particular customers, configure a supported telecom supplier earlier than this date. |
| After February 1, 2027Â | Customers who use SMS or voice for multifactor authentication will probably be required to register a passkey earlier than they’ll check in. Automated prompts to register a passkey will probably be enforced for all customers in all tenants. There will probably be no opt-out possibility. |
Be aware: The dates outlined on this publish apply to Microsoft Entra ID within the public cloud solely. Assist for different cloud environments will observe on a separate timeline, with extra steerage and dates to be introduced upfront.
SMS and voice have served their objective properly, bringing multifactor authentication to billions of customers who in any other case would have had none. However the menace surroundings has developed past their capabilities, and we have to evolve with it.
We’re making passkeys the default in Entra ID as a result of they work higher for customers and worse for cyberattackers. We’re making an attempt to make this transition as predictable as doable with clear dates, fallback choices throughout migration, and restoration that doesn’t rely on phishable credentials anymore.
Be taught extra at aka.ms/passkeybydefaultÂ
To study extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our knowledgeable protection on safety issues. Additionally, observe us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the newest information and updates on cybersecurity.
