Microsoft will make passkeys the default phishing‑resistant authentication method in Entra ID, phasing out SMS and voice MFA.
Microsoft announced that passkeys will become the default phishing‑resistant authentication method in Entra ID, marking a major shift away from traditional SMS and voice‑based multi‑factor authentication (MFA).
Why Passkeys Matter
Passkeys use public‑key cryptography to verify a user’s identity without transmitting a secret that can be intercepted. This design makes them inherently resistant to phishing attacks that commonly target one‑time codes sent via text or voice.
The move aligns with industry recommendations to replace password‑based and code‑based MFA with stronger, credential‑less solutions.
Transition Timeline
Microsoft will begin rolling out the default passkey setting to all Entra ID tenants in the coming months. Existing tenants that rely on SMS or voice MFA will receive prompts to enroll passkeys, and the legacy methods will be gradually deprecated.
Administrators can still enable alternative MFA options during the transition, but the default experience for new users will be passkey‑based authentication.
How to Enroll Passkeys
Enrolling a passkey is straightforward: users select the passkey option during sign‑in, follow the device prompts to create a biometric or PIN‑protected credential, and the credential is stored securely on the device and in the cloud.
- Open the Entra ID sign‑in page
- Choose “Use a passkey”
- Follow the on‑screen instructions to register the credential
- Confirm the new method in your security settings
Impact on Security Posture
By defaulting to passkeys, organizations can reduce the risk of credential‑theft attacks, lower support costs associated with lost or compromised phone numbers, and improve user experience with faster, password‑less sign‑ins.
Microsoft notes that the change is part of its broader effort to strengthen identity security across Azure and Microsoft 365 services.
Passkeys represent a fundamental upgrade in how we protect identities, and making them the default helps safeguard our customers against evolving threats.
Read the full announcement on the Microsoft Security Blog: Source coverage.
Comments
No comments yet.