Microsoft announced a major authentication overhaul for Microsoft Entra ID in the public cloud, making passkeys the default sign-in experience starting September 1, 2026 and shifting customers away from phishable SMS and voice-based multifactor authentication. The company said users who still rely on SMS or voice MFA will be automatically prompted to register passkeys during MFA flows, and organizations will not be able to opt out of those registration prompts. Microsoft tied the move to rising phishing risk, including AI-assisted campaigns, and said passkeys provide stronger protection through public-key cryptography rather than shared secrets.
Microsoft will also retire its native telecom delivery for SMS and voice authentication, with customers that still need those methods for regulatory or technical reasons required to use supported third-party telecom providers through the Microsoft Security Store. Administrator configuration for supported providers is scheduled to begin on October 30, 2026, with additional provider details and deployment guidance due earlier, while mandatory passkey registration for users dependent on SMS or voice is set to begin February 1, 2027. Reactions from administrators were mixed but largely unsurprised, with some citing prior SIM-cloning account compromises and others warning that the migration timeline is tight even as they accelerate user education on passkeys.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Microsoft announced that passkeys will become the default authentication experience for Microsoft Entra ID in the public cloud. The change also includes retirement of Microsoft's native SMS and voice-based MFA delivery in favor of phishing-resistant authentication.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcereddit.com
Open sourcehelpnetsecurity.com
Open sourcemicrosoft.com
Open sourcereddit.com
Open sourcelearn.microsoft.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.