Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/CyberSecurity News/Microsoft Entra ID Defaults to Passkeys, Replacing Passwords
CyberSecurity News

Microsoft Entra ID Defaults to Passkeys, Replacing Passwords

Key Takeaways Microsoft Entra ID will transition to passkeys as the default authentication method, phasing out phishable SMS and voice-based multifactor authentication. This change is a direct...

Marcus Rodriguez
Marcus Rodriguez
July 14, 2026 4 Min Read
15 0

Key Takeaways

  • Microsoft Entra ID will transition to passkeys as the default authentication method, phasing out phishable SMS and voice-based multifactor authentication.
  • This change is a direct response to the escalating threat of AI-powered phishing campaigns, which exhibit significantly higher success rates than traditional methods.
  • The mandatory shift begins September 1, 2026, with a complete cessation of Microsoft-provided SMS and voice authentication by February 1, 2027.
  • Organizations must prepare by auditing current authentication methods, enabling passkey support, and proactively communicating changes to users.

Microsoft Entra ID Embraces Passkeys, Sunsetting Legacy MFA

Microsoft has announced a significant shift in its authentication strategy for Microsoft Entra ID, designating passkeys as the default sign-in method. This transition, set to commence on September 1, 2026, will effectively replace phishable SMS and voice-based multifactor authentication (MFA) methods.

Table Of Content

  • Key Takeaways
  • Microsoft Entra ID Embraces Passkeys, Sunsetting Legacy MFA
  • Phased Rollout and Key Milestones
  • The Security Advantage of Passkeys
  • What You Should Do

The move is a strategic response to the alarming proliferation of AI-enabled phishing campaigns. Microsoft Threat Intelligence has observed these advanced attacks achieving click-through rates as high as 54%, a stark contrast to the approximately 12% success rate of conventional phishing attempts. The inherent resistance of passkeys to such sophisticated attacks makes them a critical upgrade in the evolving cybersecurity landscape.

Starting September 1, 2026, users currently configured for SMS or voice authentication will be automatically enrolled in passkeys. These users will encounter a registration prompt during their next multifactor authentication event, guiding them through the setup process for their new passkey.

Phased Rollout and Key Milestones

Microsoft’s implementation plan for this change is structured around several critical dates:

  • September 1, 2026: The automatic enablement of passkeys and nudges for all users relying on SMS/voice during MFA sign-in will begin.
  • September 18, 2026: Microsoft will release comprehensive pricing details, commercial terms, and a list of supported telecom providers through the Microsoft Security Store.
  • October 30, 2026: Administrators will gain the ability to select and configure third-party telecom providers for organizations that have specific, validated requirements to retain SMS or voice authentication.
  • February 1, 2027: Microsoft will cease providing native SMS and voice authentication delivery services entirely.
  • After February 1, 2027: Passkey registration prompts will become mandatory for all users across all tenants, with no option to opt out.

This initiative builds upon previous advancements in passwordless authentication within Entra ID. Notably, March 2026 saw the introduction of passkey profiles as the default sign-in configuration for enterprise tenants. This was followed in May 2026 by the global expansion of system-preferred authentication to encompass first-factor sign-in, laying the groundwork for the current transition.

The Security Advantage of Passkeys

Passkeys leverage public-key cryptography, a fundamentally more secure approach than shared secrets. This makes them inherently resistant to phishing attacks, unlike SMS and voice codes, which are susceptible to interception through methods like SIM swapping or social engineering. Microsoft emphasizes that AI-powered attackers can now automate discovery, privilege escalation, and lateral movement at an accelerated pace once a phishable credential is compromised, underscoring the urgency of eliminating weak second factors.

Internally, Microsoft claims it has already achieved phishing-resistant authentication coverage for 99.6% of its own users and devices by deprecating legacy methods.

Entra ID supports both synced passkeys, which are stored in platform credential managers such as iCloud Keychain and Google Password Manager, and device-bound passkeys, available via Microsoft Authenticator, Entra passkey on Windows, and FIDO2 security keys. This dual approach offers organizations flexibility in their deployment strategies.

Beyond security enhancements, regulatory pressures are also driving this shift. Industry analysts point to NIS2 compliance requirements within the European Union, which are pushing organizations towards mandatory passwordless authentication, especially after voluntary adoption rates for passkeys, despite their availability for over a year, remained stagnant.

Organizations with legitimate regulatory or technical justifications for retaining SMS or voice authentication can establish direct contracts with supported telecom carriers through the Microsoft Security Store, beginning October 30, 2026. However, these organizations will be responsible for the associated telecom costs.

It is important to note that this timeline applies specifically to Microsoft Entra ID in the public cloud. Government cloud environments (GCC, GCC High, DoD) will follow separate timelines, which are expected to be announced at a later date.

What You Should Do

Microsoft strongly advises organizations to take immediate action rather than waiting for the automatic rollout:

  • Conduct a thorough audit of existing authentication policies to identify all users and groups that currently rely on SMS or voice MFA.
  • Enable passkey support within Entra ID and strategically choose between synced or device-bound passkey types based on your organization’s user devices and workflow requirements.
  • Leverage Entra ID’s registration campaign feature to facilitate and scale passkey adoption during MFA sign-in events.
  • Proactively communicate with affected users regarding upcoming passkey registration prompts and changes to their sign-in experience.
  • For organizations with a regulatory necessity to retain SMS/voice, pilot any chosen third-party telecom provider configuration before a broad rollout.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackphishingSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical ServiceNow Vulnerability Lets Remote Attackers Execute Code

Next Post

Over 150 Malicious npm Packages Enable DDoS Attacks on Students

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us