Passkeys will soon be the default authentication method in Microsoft Entra ID – here's what it means for users and when the changes come into effect
The shift to passkeys for Microsoft Entra ID comes amidst growing concerns over AI-powered phishing and identity theft
Microsoft’s Entra ID platform will now operate solely with passkeys as it looks to shift away from SMS and voice-based authentication practices.
The changes to the identity management platform, set to come into effect on 1 September 2026, will see passkeys established as the “default authentication experience” for users.
Microsoft urged customers to move to passkeys or alternative phishing-resistant methods before the changeover.
“As the rollout reaches each organization, users enabled for SMS or voice authentication will automatically be enabled for passkeys, and the next time they perform multi-factor authentication, they’ll be prompted to register a passkey,” the company explained in a blog post.
There is a grace period, however, with voice and SMS-based authentication still being possible until 1 February 2027. After that deadline, Microsoft will retire telecom delivery for both authentication methods and no longer offer SMS and voice as a “native Microsoft Entra capability.”
For those organizations that still require SMS or voice-based authentication, there is the option to do so via the Microsoft Security Store, where administrators can find approved telecom partners to facilitate this need.
This may incur additional costs, however, with Microsoft warning: "Customers will be responsible for any associated telecom-related costs charged by the telecom partners."
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Why is Microsoft moving to passkeys?
According to Microsoft, the shift to passkeys is in response to growing concerns over credential theft, phishing, and social engineering attacks.
AI, the company added, has also prompted a rethink of identity security and a move away from “phishable methods” such as voice and SMS-based authentication.
“Authentication methods that use SMS or voice rely on shared secrets or channels that attackers increasingly intercept, phish, or manipulate,” Microsoft explained.
“The case for moving beyond SMS and voice is no longer just that attackers intercept or socially engineer these methods. The threat environment has changed in speed, scale, and sophistication.”
Microsoft said its Threat Intelligence division has observed a marked rise in AI-enabled phishing campaigns in recent months, with these methods reaching click-through rates as high as 54%.
That’s a stark contrast compared to the 12% click-through rates typically observed in traditional campaigns, highlighting the potency of this new wave of attacks.
Other tactics employed by threat actors, such as SIM swapping and MFA bypass techniques, have also become “more accessible and repeatable”, Microsoft noted.
As ITPro reported earlier this year, AI-generated phishing campaigns have become a recurring concern for cybersecurity leaders.
Research from Kaseya suggested that AI phishing “became the baseline” for threat actors in 2025: 83% of phishing emails used AI in some capacity, while 40% of business email compromise (BEC) attacks also fared similarly.
Why passkeys?
Passkeys are touted as a more reliable and secure method of authentication, as they tie credentials to a specific device, such as a smartphone or laptop. This removes the need for interceptable codes.
Indeed, Microsoft noted that because they use public-key cryptography rather than “shared secrets”, this makes them phishing-resistant by design.
“They also provide a faster, simpler sign-in experience for users,” the company noted.
Microsoft isn’t alone in advising the shift to passkeys. Earlier this year, the UK’s National Cyber Security Centre (NCSC) urged enterprises and consumers alike to adopt passkeys to provide “stronger resilience” and ease-of-use.
“We strongly advise all organizations to implement passkeys wherever possible to enhance security, provide users with faster, frictionless logins and to save significant costs on SMS authentication," NCSC CTO Ollie Whitehouse said at the time.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
CISPE vs Broadcom continues, but this time it’s bringing friends to the party in fight over VMware changesNews Battle over acquisition and subsequent partnership and licensing changes continues
-
Beware of exposed serverless cloud functions, Mandiant warnsNews The rise of generative AI means the firm's seeing more vulnerable environments: here's what it thinks you should do
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
‘Most organizations are losing ground’: Identity security risks are skyrocketing, and enterprises can’t keep upNews Most organizations are being hit at least once a year, and experts warn incidents are accelerating
-
Beware of emails threatening a code of conduct reviewNews A widespread phishing campaign has targeted tens of thousands of employees
-
Enterprises are adopting agents faster than they can secure and govern them – experts warn it’s a disaster waiting to happenNews Identity systems developed for human interaction fail to cope with the new demands
-
Agent identity governance can't keeping up with adoption rates – and it’s creating a security nightmareNews Enterprises are leaving high-privilege keys unchanged for months or years at a time
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
-
Fake North Korean IT workers are rampant on LinkedIn – security experts warn operatives are stealing profiles to apply for jobs and infiltrate firmsNews The scammers' latest efforts mark a significant escalation in tactics, experts have warned
-
Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to knowNews Patch Tuesday update targets large number of vulnerabilities already being used by attackers