Microsoft Entra: Passkeys by default and retirement of Microsoft-provided SMS and voice authentication

🚨 The Signal: Microsoft Entra will default to passkeys for authentication by September 2026, phasing out Microsoft-provided SMS and voice MFA by February 2027 due to their phishing vulnerability. Organisations must transition to phishing-resistant methods or procure third-party telecom providers.

The Impact

All users are affected by the shift to stronger authentication, reducing the risk of identity-based attacks.

  • End-users: Will use passkeys for login, improving personal security.
  • Security Teams: Must plan and implement passkey rollout, reducing phishing risk.
  • Administrators: Need to configure passkey policies and potentially new SMS/voice providers.
  • Organisations: Enhanced security posture against identity compromise.

The Action

  1. Review current authentication methods and identify users reliant on SMS/voice MFA.
  2. Plan and pilot passkey deployment for user groups within Microsoft Entra.
  3. Communicate passkey adoption requirements and benefits to end-users.
  4. Evaluate third-party telecom providers if SMS/voice MFA remains a business requirement post-February 2027.
  5. Configure authentication methods policy in Microsoft Entra to prioritise passkeys and disable SMS/voice where possible.

Domain: Entra · Impact: high · Workload: Entra ID · Essential Eight: Multi-Factor Authentication · ISM: ISM-0109, ISM-0123, ISM-0140, ISM-0974, ISM-1173, ISM-1228, ISM-1401, ISM-1504, ISM-1505, ISM-1679, ISM-1680, ISM-1681, ISM-1682, ISM-1683, ISM-1815, ISM-1819, ISM-1872, ISM-1873, ISM-1874, ISM-1892, ISM-1893, ISM-1894, ISM-1906, ISM-1907