Our Thinking | Intercity Technology

Microsoft Is Making Passkeys the Default: What IT Leaders Need To Know

Written by Intercity | Jul 15, 2026 7:02:21 PM

Identity is rapidly becoming the primary battleground for cyber attackers.

This week, Microsoft announced that passkeys will become the default authentication experience in Entra ID from September 2026, while Microsoft-provided SMS and voice authentication services will be retired in February 2027. Microsoft says the move is designed to accelerate adoption of phishing-resistant authentication as identity attacks become more sophisticated in the AI era.

Microsoft is making phishing-resistant authentication the expected standard rather than the optional upgrade. For most organisations, this won't trigger a large-scale migration project overnight. But it does provide a clear indication of where Microsoft's identity strategy is heading and why now is a good time to review how users authenticate across your organisation.

 

 

 

WHY IS MICROSOFT MAKING THIS CHANGE?

Microsoft's rationale is straightforward. SMS and voice authentication have helped improve security for millions of users, but they are still vulnerable to phishing, social engineering and SIM-swapping attacks.

Passkeys use public-key cryptography, making them significantly more resistant to phishing attacks. They also offer a simpler sign-in experience by allowing users to authenticate using a trusted device, biometric factor or security key.

As AI-enabled phishing campaigns become more effective, Microsoft is encouraging organisations to move towards phishing-resistant authentication methods by default.


 

WHAT DOES THIS MEAN FOR YOUR ORGANISATION?

For organisations already using passkeys, Windows Hello for Business or FIDO2-based authentication, very little will change. The technology foundations are already in place

For others, this announcement provides an opportunity to review how authentication is being used across the organisation. Many businesses still have users who rely heavily on SMS-based MFA, particularly among frontline workers, occasional users or legacy processes.

The bigger takeaway is not the deadline itself. It's that Microsoft is making phishing-resistant authentication the expected standard rather than the optional upgrade.

That is likely to influence future security investments, identity strategies and user onboarding processes long before 2027.

 

 

THE KEY DATES TO KNOW

Microsoft has published the following timeline:

 

1 September 2026

Users currently enabled for SMS or voice authentication will automatically be enabled for passkeys. During MFA sign-ins, users will be prompted to register a passkey, helping organisations begin the transition to phishing-resistant authentication.

18 September 2026

Microsoft will publish pricing information and details of supported telecom providers for organisations that wish to continue using SMS or voice authentication.

30 October 2026

Administrators will be able to select and configure approved telecom providers through the Microsoft Security Store.

1 February 2027

Microsoft's native SMS and voice authentication capability will be retired.

Organisations that still require these methods will need to use a supported telecom provider.

After 1 February 2027

Users who continue to rely on SMS or voice authentication will be required to register a passkey before they can sign in. Microsoft has stated there will be no opt-out option.

It's worth noting that Microsoft isn't eliminating SMS and voice authentication entirely. Rather, it's retiring its own native delivery service and requiring organisations that still need these methods to use a supported telecom provider.

 

WHAT SHOULD ORGANISATIONS BE REVIEWING NOW?

There is plenty of time before the main milestones arrive, but it makes sense to understand your current position.

A good starting point is to review:

    • Which users currently use SMS or voice authentication
    • Whether user devices are ready for passkeys
    • Any regulatory, operational or business reasons for keeping SMS or voice authentication
    • Existing authentication and access policies
    • User communications and awareness plans

For many organisations, this may be little more than a review exercise. Others may identify user groups that require additional planning.

 

 

FINAL THOUGHTS:

The organisations that benefit most from this change won't necessarily be the ones that move fastest. They'll be the ones that understand their current authentication landscape, identify where risk still exists, and make planned changes before they become mandatory.

With more identity attacks targeting users rather than infrastructure, authentication is becoming one of the most important security decisions organisations make. Now is a good time to understand whether your current approach is ready for what's next.

 

If you're unsure how Microsoft's passkey transition could affect your organisation, Intercity's Microsoft experts can help you assess your existing setup, identify any users or processes that may be affected, and clarify whether any action is needed before the 2026 and 2027 milestones.