Microsoft Entra ID will make Passkeys the default sign-in method this September
Passkeys, the passwordless authentication standard built on public-key cryptography and backed by the FIDO Alliance, are about to become the default for millions of Microsoft Entra ID users. Microsoft announced Wednesday that the service will switch to Passkey as its primary identity verification method starting this September.
Users who currently authenticate through SMS codes or voice verification prompts will automatically be enrolled in Passkey. The next time they’re prompted for multi-factor authentication, they’ll see a “Register Passkey” screen instead of the usual text message or phone call.
Microsoft also set a hard deadline for the old methods. On February 1, 2027, the company will stop offering SMS codes and voice verification as a built-in service. Organizations that still rely on those methods need to migrate to Passkey before the deadline — or find and pay a third-party telecom provider to handle SMS and voice verification instead.
The change only affects Entra ID in public cloud environments. Plans for other cloud configurations are still being worked out, with migration guidance to follow.
The move is the latest sign that the industry’s shift away from SMS-based authentication is accelerating. Security researchers have long flagged SMS codes as one of the weakest forms of MFA — vulnerable to SIM-swapping attacks and SS7 protocol exploits on top of increasingly sophisticated phishing campaigns. But their sheer convenience kept them in widespread use across enterprises. Microsoft’s deadline effectively forces the slow-moving organizations to act.
Passkeys work by generating a cryptographic key pair on the user’s device — the private key never leaves the device, while the public key is stored on the server. Authentication happens through biometrics (Face ID, fingerprint) or a device PIN, eliminating the need for a shared secret sent over a network. Apple and Google have been pushing Passkey adoption on their platforms for years, and Microsoft’s Entra ID move brings the standard to the enterprise login layer where the highest-value credentials live.
For IT administrators, the transition means preparing users for the change and auditing any workflows that still depend on SMS-based MFA. Microsoft recommends organizations start testing Passkey enrollment flows now, ahead of the September switch.