Microsoft Forcing Passkey Adoption
Microsoft plans to phase out SMS and voice authentication for Entra ID, signaling a permanent move toward a passwordless enterprise future.
The era of traditional authentication is rapidly closing as Microsoft prepares to mandate a significant shift in how enterprises secure their digital perimeters. By prioritizing Passkeys as the primary method for accessing its cloud-based identity services, the tech giant is effectively forcing a transition that many organizations have been slow to adopt voluntarily.
The End of SMS Authentication
Starting September 1, 2026, Microsoft will integrate passkeys as the default authentication standard within its Entra ID platform. This transition is not merely a suggestion; it represents a fundamental change in the security architecture of the Identity and Access Management landscape. The company has set a clear expiration date for legacy methods, with support for SMS and voice-based authentication slated to conclude on February 1, 2027.
Moving Beyond Phishable Secrets
The push toward passkeys, which rely on local biometrics or device-bound hardware rather than transmissible strings of characters, aims to neutralize the primary leverage held by modern threat actors. As organizations grapple with the reality of AI-driven credential harvesting, the removal of shared secrets from the authentication loop is a strategic necessity.
“That shift is significant as attackers increasingly rely on AI to automate phishing campaigns, generate convincing login pages, and conduct large-scale credential theft.”
— Ensar Seker, CISO at SOCRadar
Critical Transition Milestones
- September 1, 2026: Users relying on SMS or voice will be prompted to register a passkey upon signing into MFA.
- September 18, 2026: Microsoft will release details on commercial terms and telecom providers for organizations needing exceptions.
- October 30, 2026: Enterprises still utilizing SMS or voice must configure their chosen telecom provider through the Microsoft Security Store at their own cost.
- February 1, 2027: Microsoft-provided telecom delivery for SMS and voice authentication reaches its official end of support.
Strategic Implications for Security
While the elimination of password fatigue is a welcome operational side effect, the true value lies in the reduction of the overall attack surface. By removing the ability for users to be tricked into handing over credentials via AI-generated phishing sites, enterprises can move away from the unsustainable model of relying solely on end-user vigilance. However, security leaders must recognize that passkeys are not a total panacea. They remain vulnerable to threats like session token theft, malicious insiders, and the compromise of the underlying endpoint device itself. Consequently, the transition to a passwordless model must be paired with rigorous endpoint protection, continuous monitoring, and strict conditional access policies to remain effective. Organizations that continue to lean on legacy password-based authentication will find themselves at an escalating disadvantage as the costs associated with successful credential breaches continue to rise in the face of automated, high-speed adversarial tactics.