Microsoft Mandates Passkeys: A New Era of Enterprise Authentication

Jul 15, 2026 818 views

Microsoft is taking a decisive step toward more secure authentication by making passkeys the default method in its Entra ID service. Beginning on September 1, 2026, enterprises using Microsoft's identity and access management (IAM) service will find themselves transitioning away from traditional SMS and voice authentication methods.

This move underscores the necessity for improved security protocols as cyber threats become more sophisticated, particularly with the advent of AI enhancing attackers' capabilities. "This transition marks a key moment, shifting passwordless authentication from an optional feature to the standard," explained Ensar Seker, CISO at SOCRadar. The urgency of this change reflects a broader trend where attackers are using AI to automate their phishing campaigns and execute large-scale credential theft.

Details of the Transition

Passkeys, which allow users to authenticate using biometrics or device locks rather than passwords, are expected to significantly mitigate the risks associated with traditional authentication. Microsoft argues that reliance on these methods will reduce exposure to phishing, as passkeys cannot be easily phished compared to passwords.

The timeline for this rollout is notably tight:

  • September 1, 2026: Current users of SMS and voice authentication will be prompted to register for passkeys during multifactor authentication (MFA) sign-ins.
  • September 18, 2026: Microsoft will announce pricing and terms for scenarios still requiring SMS or voice authentication due to various constraints.
  • October 30, 2026: Enterprises must choose a supported telecom provider for SMS or voice services if required, and they’ll absorb the costs from then on.
  • February 1, 2027: Microsoft will cease to provide SMS and voice authentication as part of Entra ID.

It's important to note that these changes specifically impact users of the cloud-hosted version of Entra ID; other environments will follow a different schedule.

Nadim Abdo, Microsoft’s corporate VP of identity and network access engineering, stated that while SMS and voice methods have been effective, the evolving threat landscape necessitates the shift to passkeys.

The Advantages of Passkeys

Passkeys fundamentally alter how security works, as they do away with the transmission of shared secrets that attackers typically exploit. The necessity for physical possession of a user’s device along with biometric verification or a PIN enhances security. Seker emphasized that even the most convincing phishing attempts can’t easily deceive users into providing a passkey the same way they can with passwords or one-time codes.

Despite the benefits, widespread adoption of passkeys in enterprises has lagged, primarily due to fragmented identity ecosystems. Many organizations still lean on legacy applications that only support traditional passwords, and face challenges like cross-platform compatibility and employee onboarding/offboarding. Seker pointed out that firms previously categorized passkeys as more suited to consumer tech rather than an enterprise-level identity strategy.

However, Microsoft’s strategic moves are likely to change perceptions. Since Entra is central to many enterprise identity infrastructures, defaulting passkeys to be necessary rather than optional will compel organizations to adopt this technology more broadly.

The potential reduction in credential-based attacks is significant. Seker noted that a large portion of successful breaches initiate with stolen credentials, typically through phishing or infostealer malware. By adopting passkeys, organizations can lower the risk associated with these attacks while also alleviating password-related fatigue and the costs tied to helpdesk support for password resets.

Moreover, passkeys simplify security by removing the credential element entirely, making reliance on user awareness training for phishing attacks less critical. This represents a more sustainable approach to security in the long run.

That said, it’s essential to understand that passkeys aren’t a universal fix. They won’t guard against endpoint compromises, session token theft, or malicious insiders. To maximize security, organizations will need to implement passkeys alongside other measures like endpoint protection, continuous monitoring, and robust conditional access policies.

Preparing for the Shift

As enterprises gear up for this transition, Microsoft recommends evaluating current authentication policies and identifying user groups still dependent on SMS or voice authentication. Organizations should select the most appropriate authentication methods for their users and workflows while ensuring that all staff are equipped with passkeys and security keys.

Entra ID accommodates synced passkeys stored in credential managers like iCloud Keychain and Google Password Manager, as well as device-bound passkeys through Microsoft Authenticator or security keys adhering to FIDO2 standards.

To facilitate a smooth transition, enterprises are advised to scrutinize FIDO2 and passkey support in their identity ecosystems, develop clear onboarding and recovery protocols, and proactively educate users on the expected changes. Additionally, establishing secure device management practices remains critical, along with enforcing least privilege and risk-based access policies during the transition.

In light of these developments, Seker warns that organizations clinging to password-centric authentication will likely face rising operational risks as AI continues to enhance the effectiveness of credential-based attacks. The push for passkeys is not just a trend; it’s an essential evolution in enterprise security for the future.

This article originally appeared on Computerworld.

Source: James Martinez · www.csoonline.com

Comments

Sign in to comment.
No comments yet. Be the first to comment.

Related Articles

Microsoft is forcing an enterprise transition to passkeys