Microsoft has announced that passkeys will be the default authentication method for Entra ID enterprise identity services starting September 2026.
Passkeys will be automatically enabled for Entra ID users currently utilizing phone-based SMS and voice authentication, which will be phased out in February 2027 for all tenants.
Users already using passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or other phish-resistant methods can continue to employ these secure sign-in options.
“Once this rollout reaches organizations, users with SMS or voice authentication will automatically have a passkey enabled and will be prompted to register a passkey after their next multi-factor authentication.” Microsoft stated.
“Following this transition, on February 1, 2027, Microsoft will retire SMS and voice authentication services and will no longer support them as a feature for Microsoft Entra.”
By this deadline, organizations are advised to complete all multi-factor authentications using SMS or voice and transition to phish-resistant methods to avoid disruption to user sign-ins.

Administrators with the Global Leader, Authentication Policy Administrator, or Security Reader roles can use the following command to identify SMS or voice-authenticated users: Entra SMS/Voice Policy Scanner PowerShell Script.
Organizations requiring phone-based authentication must configure a third-party communications provider via the Microsoft Security Store.
Microsoft offers step-by-step guidance for deploying and managing Entra ID’s phishing-resistant passwordless authentication. Visit this documentation page.
To combat identity attacks and enhance account security, we urge users to transition away from phone-based authentication methods. In recent attacks, threat actors, including the ShinyHunters extortion gang, have targeted Microsoft Entra single sign-on (SSO) accounts, leading to SaaS data theft via stolen credentials.
“Microsoft Threat Intelligence reports click-through rates of 54% for AI-driven phishing campaigns, compared to about 12% for traditional methods, making stolen passwords and phishable second factors a critical risk,” Microsoft noted.
“By making passkeys the default authentication method, organizations reduce reliance on phishable authentication options, thus enhancing protection against credential theft and phishing attempts.”
Security teams document 54% of successful attacks yet only issue warnings on 14%. A recent whitepaper by Picus illustrates how to test your SIEM and EDR rules in breach simulations to ensure threats remain undetected.
Source: www.bleepingcomputer.com




