Passkeys will soon be the default authentication method in Microsoft Entra ID – here's what it means for users and when the changes come into effect

The shift to passkeys for Microsoft Entra ID comes amidst growing concerns over AI-powered phishing and identity theft

Microsoft logo and branding illuminated against a dark backdrop on the company's vendor stall at Fira Gran Via during Mobile World Congress (MWC) 2026.
(Image credit: Getty Images)

Microsoft’s Entra ID platform will now operate solely with passkeys as it looks to shift away from SMS and voice-based authentication practices.

The changes to the identity management platform, set to come into effect on 1 September 2026, will see passkeys established as the “default authentication experience” for users.

Microsoft urged customers to move to passkeys or alternative phishing-resistant methods before the changeover.

“As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multi-factor authentication, they’ll be prompted to register a passkey,” the company explained in a blog post.

Latest Videos From

There is a grace period, however, with voice and SMS-based authentication still being possible until 1 February 2027. After that deadline, Microsoft will retire telecom delivery for both authentication methods and no longer offer SMS and voice as a “native Microsoft Entra capability.”

For those organizations that still require SMS or voice-based authentication, there is the option to do so via the Microsoft Security Store, where administrators can find approved telecom partners to facilitate this need.

This may incur additional costs, however, with Microsoft warning: "Customers will be responsible for any associated telecom-related costs charged by the telecom partners."

Why is Microsoft moving to passkeys?

According to Microsoft, the shift to passkeys is in response to growing concerns over credential theft, phishing, and social engineering attacks.

AI, the company added, has also prompted a rethink of identity security and a move away from “phishable methods” such as voice and SMS-based authentication.

“Authentication methods that use SMS or voice rely on shared secrets or channels that attackers increasingly intercept, phish, or manipulate,” Microsoft explained.

“The case for moving beyond SMS and voice is no longer just that attackers intercept or socially engineer these methods. The threat environment has changed in speed, scale, and sophistication.”

Microsoft said its Threat Intelligence division has observed a marked rise in AI-enabled phishing campaigns in recent months, with these methods reaching click-through rates as high as 54%.

That’s a stark contrast compared to the 12% click-through rates typically observed in traditional campaigns, highlighting the potency of this new wave of attacks.

Other tactics employed by threat actors, such as SIM swapping and MFA bypass techniques, have also become “more accessible and repeatable”, Microsoft noted.

As ITPro reported earlier this year, AI-generated phishing campaigns have become a recurring concern for cybersecurity leaders.

Research from Kaseya suggested that AI phishing “became the baseline” for threat actors in 2025: 83% of phishing emails used AI in some capacity, while 40% of business email compromise (BEC) attacks also fared similarly.

Why passkeys?

Passkeys are touted as a more reliable and secure method of authentication, as they tie credentials to a specific device, such as a smartphone or laptop. This removes the need for interceptable codes.

Indeed, Microsoft noted that because they use public-key cryptography rather than “shared secrets”, this makes them phishing-resistant by design.

“They also provide a faster, simpler sign-in experience for users,” the company noted.

Microsoft isn’t alone in advising the shift to passkeys. Earlier this year, the UK’s National Cyber Security Centre (NCSC) urged enterprises and consumers alike to adopt passkeys to provide “stronger resilience” and ease-of-use.

“We strongly advise all organizations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication," NCSC CTO Ollie Whitehouse said at the time.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.