SecurityBrief Canada - Technology news for CISOs & cybersecurity decision-makers
Canada
Microsoft makes passkeys default for Entra ID logins

Microsoft makes passkeys default for Entra ID logins

Tue, 14th Jul 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Microsoft will make passkeys the default authentication method in Entra ID, starting with users enabled for SMS or voice authentication.

Under the plan, users who currently use SMS or voice for multifactor authentication in Microsoft Entra ID will be automatically enabled for passkeys and prompted to register one the next time they sign in with multifactor authentication. Microsoft will later end its own telecom delivery for SMS and voice authentication in Entra ID and shift customers that still need those methods to third-party providers available through the Microsoft Security Store.

The move marks a significant change in how Microsoft handles identity security in one of its core access management products. It also reflects a broader industry shift away from text message and voice-based checks, which security specialists have long viewed as weaker than methods based on cryptographic credentials.

The rollout of passkeys as the default experience in Entra ID will begin on September 1, 2026. On February 1, 2027, Microsoft will retire its telecom delivery for SMS and voice authentication and stop offering those methods as a native Entra feature.

Organisations that still need SMS or voice for regulatory, technical or business reasons will be able to choose a telecom partner through the Microsoft Security Store and will pay any related charges billed by that partner.

Threat shift

Microsoft presented the change as a response to a more aggressive identity threat landscape, particularly as attackers use artificial intelligence to improve phishing and social engineering campaigns. Passkeys, it said, are designed to resist phishing because they use public-key cryptography rather than shared secrets.

It cited Microsoft Threat Intelligence data showing AI-enabled phishing campaigns reaching click-through rates as high as 54%, compared with about 12% for more traditional campaigns. That, according to Microsoft, increases the risk associated with stolen passwords and second factors that can be intercepted or manipulated.

Microsoft also pointed to SIM swapping and multifactor authentication bypass as techniques that have become easier to repeat. A compromised identity, it argued, can now let an attacker automate discovery, privilege escalation and lateral movement far faster than would be possible through manual intrusion.

Migration path

For most customers, Microsoft is urging administrators to prepare for a passkey rollout rather than maintain older methods. Organisations should identify users still relying on SMS or voice, choose the passkey types that fit their device estate and workflows, and use registration campaigns to encourage adoption of the new sign-in method.

Entra ID supports synced passkeys stored in platform credential managers such as iCloud Keychain and Google Password Manager, as well as device-bound passkeys including Microsoft Authenticator passkeys, Entra passkey on Windows and FIDO2 security keys.

Administrators are also being advised to prepare user communications explaining what is changing and when users will receive a registration prompt. Customers that must retain SMS or voice in some cases should identify the affected user groups, select a supported telecom provider through the Security Store from late October 2026, and test the setup with a pilot group before broader deployment.

Key dates

More information on supported telecom providers, deployment guidance, pricing and commercial terms will be shared on September 18, 2026. From October 30, 2026, administrators will be able to select and configure a supported telecom provider through the Microsoft Security Store.

After February 1, 2027, users who still use SMS or voice for multifactor authentication will be required to register a passkey before they can sign in. The automatic prompt to register a passkey will then be enforced for all users in all tenants, with no opt-out.

The timetable applies only to Microsoft Entra ID in the public cloud. Other cloud environments will follow a separate schedule, with further guidance to be provided in advance.

Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering at Microsoft, set out the company's reasoning in a published note. "SMS and voice have served their purpose well, bringing multifactor authentication to billions of users who otherwise would have had none. But the threat environment has evolved beyond their capabilities, and we need to evolve with it. We're making passkeys the default in Entra ID because they work better for users and worse for cyberattackers. We're trying to make this transition as predictable as possible with clear dates, fallback options during migration, and recovery that doesn't depend on phishable credentials anymore," Abdo said.