Microsoft Entra ID to Default to Passkeys, Phasing Out SMS and Voice Authentication
**Microsoft** is set to elevate security for its **Entra ID** enterprise identity service by making passkeys the default authentication method starting September 2026. This move will automatically enable passkeys for users currently relying on phone-based SMS and voice authentication, which **Microsoft** plans to retire entirely by February 2027 across all tenants.

**Microsoft** has announced a significant shift in its authentication strategy for **Entra ID**, its enterprise identity service. Starting September 2026, passkeys will become the default authentication method, marking a crucial step towards a more secure and phishing-resistant environment.
### Phasing Out Legacy Authentication
Users currently utilizing phone-based SMS and voice authentication for **Entra ID** will automatically transition to passkeys. This change precedes the complete retirement of SMS and voice authentication across all **Microsoft** tenants by February 1, 2027.
However, users already employing phishing-resistant methods such as passkeys, **Windows Hello for Business**, **FIDO2** security keys, or smart cards will continue to use their existing authentication methods without disruption.
"As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multifactor authentication, they'll be prompted to register a passkey," **Microsoft** stated.
### Preparing for the Transition
Organizations are strongly advised to ensure all users adopt a phishing-resistant authentication method well before the February 2027 deadline. Failure to do so could lead to sign-in disruptions once SMS and voice options are no longer available as native **Microsoft Entra** capabilities.

*Timeline for SMS/voice authentication retirement (Microsoft)*
Admins with global reader, Authentication policy administrator, or Security reader roles can identify users still relying on SMS or voice authentication by running the **Entra SMS/Voice Policy Scanner PowerShell script** available on **GitHub**.
For organizations with specific requirements for phone-based authentication, the option to configure third-party telecom providers through the **Microsoft Security Store** will remain available.
**Microsoft** has also provided comprehensive, step-by-step guidance on deploying and managing phishing-resistant passwordless authentication for **Entra ID** on its dedicated documentation page.
### Mitigating Modern Threats
The move away from telephony-based authentication is a direct response to the increasing sophistication of identity attacks. Threat actors, including the notorious **ShinyHunters** extortion gang, have repeatedly targeted **Microsoft Entra** single sign-on (SSO) accounts in recent SaaS data-theft campaigns, leveraging stolen credentials and device code vishing attacks.
**Microsoft Threat Intelligence** has highlighted the urgency of this transition, noting that "AI-enabled phishing campaigns reaching click-through rates as high as 54%, compared with roughly 12% for more traditional campaigns, making stolen passwords and phishable second factors an urgent risk."
By establishing passkeys as the default authentication experience, **Microsoft** aims to significantly reduce reliance on vulnerable authentication methods, thereby strengthening defenses against credential theft and sophisticated phishing attacks.