Microsoft Entra Passkeys Default and SMS and Voice MFA Retirement

Justin Kirsch | | 13 min read
Microsoft Entra ID passwordless passkey sign-in replacing a text-message code, for banks and credit unions

Signing in is about to get faster for your staff and far harder for the people trying to phish them. On July 13, 2026, Microsoft confirmed that passkeys will become the default sign-in experience in Microsoft Entra ID, and that Microsoft-provided text-message and phone-call multifactor authentication will be retired. For a bank, credit union, or mortgage company, that is a productivity win first: less waiting on a texted code, far fewer password-and-reset help-desk tickets, and a one-tap sign-in that works consistently across a user's devices.

It is also the biggest change to how your people prove who they are since your institution first turned on multifactor authentication. Two dates carry the whole announcement. On September 1, 2026, passkeys become the default. On February 1, 2027, Microsoft stops providing SMS and voice delivery natively in Entra. Any employee whose only second factor is a texted code or a phone call will be pushed to set up a passkey, and after the February date that prompt becomes impossible to skip.

This guide separates the two dates cleanly, translates each one into what your users will actually see, and gives you a migration plan you can start this quarter. The short version: the institutions that inventory their SMS and voice users now and drive passkey registration through the winter will glide through both dates. The ones that wait will spend February fielding sign-in complaints.

54%
Click-through rate Microsoft Threat Intelligence has observed on AI-enabled phishing campaigns, compared with roughly 12% for more traditional campaigns. Text-message and phone-call codes offer little defense against attacks this convincing.
Source: Microsoft Threat Intelligence, Microsoft Security Blog, 2026

What Microsoft Actually Announced

Microsoft framed the change plainly in its July 13 security blog and its Entra ID documentation: to help organizations adopt AI at scale, users need to move off phishable authentication methods and onto phishing-resistant ones. Passkeys are the method Microsoft is standardizing on, and the company is making them the default rather than an opt-in feature buried in a policy screen.

There are two distinct moves inside the announcement, and it is worth keeping them apart because they land five months apart and mean different things.

The first move is a default change. Beginning September 1, 2026, Microsoft begins rolling out passkeys as the default authentication experience in Entra ID. Users currently enabled for SMS or voice are automatically enabled for passkeys and nudged to register one the next time they complete multifactor authentication. Being automatically enabled for passkeys is not the same as being automatically registered or issued a passkey; your users still have to complete a short registration step, which is exactly the step you want to drive early.

The second move is a retirement. Beginning February 1, 2027, Microsoft retires Microsoft-provided telecom delivery for SMS and voice authentication and no longer offers them as a native Entra capability. This is not the same as saying SMS and voice disappear entirely. As we cover below, a customer-managed telecom option remains for organizations that have a genuine regulatory or operational need. But the default, free, Microsoft-run text-and-call channel that most institutions use today goes away on that date.

Why This Matters for Financial Institutions

Banks, credit unions, and mortgage companies are exactly the organizations examiners expect to be ahead of a change like this, not behind it. Many still lean on SMS or voice codes as a fallback for staff who never finished setting up an authenticator app, for shared or seasonal accounts, and for self-service password reset. Every one of those users is now on a clock. The institutions that treat this as a routine identity project through the fall will be finished before the February cutoff turns a soft nudge into a hard stop.

Why Microsoft Is Retiring SMS and Voice

The driver, in Microsoft's own words, is security. SMS and voice are among the most vulnerable authentication methods available today and provide significantly weaker protection against phishing and account compromise than passkeys. A texted one-time code can be phished in real time, intercepted through a SIM-swap, or simply read aloud to an attacker on a convincing phone call. The rise of AI-generated phishing has made all of those attacks cheaper and more believable, which is why Microsoft Threat Intelligence reports click-through rates as high as 54% on AI-enabled campaigns, compared with roughly 12% for more traditional ones.

Passkeys close that gap by design. A passkey uses public-key cryptography rather than a shared secret, so there is no code to intercept and nothing for a user to accidentally hand over. The private key is never shared with the website; depending on the passkey type it either stays on the user's device or syncs end-to-end encrypted across that user's own devices. Either way the sign-in is cryptographically bound to the real site, which makes passkeys resistant to phishing, SIM-swap, and replay attacks in a way that no texted code can match. A passkey can also serve as a full passwordless sign-in rather than merely a second code layered on top of a password, which is why Microsoft is positioning it as the default method rather than an optional add-on. That is the entire point of moving the default: every organization gets phishing-resistant security without having to opt in.

This direction will not surprise anyone who has followed the regulatory conversation. Federal guidance and examiner expectations have been steering financial institutions toward phishing-resistant multifactor authentication for years, and our own guide to phishing-resistant MFA for financial institutions walks through how FFIEC and NCUA expectations line up with FIDO2 and passkeys. Microsoft is now making the phishing-resistant path the road of least resistance instead of a project you have to champion.

The strongest credential is the one an attacker cannot easily phish, cannot intercept in transit, and cannot talk your employee into reading aloud. That is a passkey, and starting in September it becomes the default.

The Retirement Timeline, Milestone by Milestone

Microsoft published a dated rollout in its Entra ID retirement documentation rather than a single flip-the-switch moment. Knowing each milestone lets you plan communications and pick the right window to run your registration push. Here is the sequence that matters for your tenant, straight from Microsoft's published timeline.

August 1, 2026

Application programming interface support and information for a temporary opt-out become available. The opt-out only delays the September-to-February changes while you complete your migration; it does not exempt you from the final retirement.

September 1, 2026

Microsoft begins rolling out passkeys as the default. SMS and voice users are auto-enabled for passkeys in the Authentication Methods Policy, the registration campaign is set to Microsoft-managed, and users are nudged to register a passkey at their next sign-in.

September 18, 2026

Microsoft publishes the options and terms for customer-managed telecom providers in the Microsoft Security Store, so you can evaluate whether any of your user segments genuinely need to keep SMS or voice.

October 30, 2026

Institutions that need to continue SMS or voice can begin selecting and configuring a telecom provider through the Security Store, contracting with a carrier and testing with a pilot group.

February 1, 2027

Microsoft-provided SMS and voice delivery is fully retired in Entra ID. Users whose only method is SMS or voice receive a blocking prompt to register a passkey before they can continue. The temporary opt-out available earlier in the rollout only delays the transition; Microsoft says there is no opt-out from this final February 1 enforcement and that it applies to all tenants.

Microsoft Entra ID SMS and voice MFA retirement timeline showing August 1 2026 opt-out API, September 1 2026 passkeys default, September 18 2026 telecom provider terms, October 30 2026 provider configuration, and February 1 2027 full retirement.
The Microsoft Entra ID retirement timeline: passkeys become the default on September 1, 2026, and Microsoft-provided SMS and voice retire on February 1, 2027.

What Happens to Your Users on Each Date

Dates on a slide do not tell your help desk much. What matters is the experience an employee has when they sign in. On September 1, the change is gentle. A user who has been getting a texted code completes multifactor authentication as usual, and then sees a friendly prompt asking them to set up a passkey. By default they can snooze that prompt as many times as they like, so nothing breaks and nobody is locked out. That window, September through January, is your runway.

February 1 is where the tone changes. After the retirement, a user whose only available second factor is SMS or voice hits a blocking passkey-registration prompt at sign-in. They cannot skip it. Microsoft is explicit that this is a registration requirement, not an account lockout: the user completes passkey setup and then continues into their account. Still, a blocking prompt that a loan officer meets at 8 a.m. on a Monday, with borrowers waiting, is precisely the surprise you want to have engineered away in the fall.

If you do nothing before February 1, 2027

Every employee still relying on a texted or called code as their only second factor meets a mandatory, unskippable passkey-registration screen the first time they sign in after the cutoff. Multiply that by your branch and back-office headcount on a normal business morning.

If you migrate through the fall

Those same employees registered a passkey back in October during a planned campaign, sign in with a tap, and are far less likely to meet a blocking prompt. February 1 passes with little help-desk disruption instead of a queue of locked-out staff.

The difference between those two mornings is not luck. It is whether someone inventoried your SMS and voice users, turned on the registration campaign early, and worked the coverage number down before the deadline. That is ordinary identity-project work, and it is far easier to do on your schedule than on February 1.

The Takeaway

The September 1 nudge is skippable; the February 1 prompt is not. Use the five months in between to move users to passkeys on your own timeline instead of Microsoft's deadline.

Passkeys Versus SMS and Voice

If your staff have only ever known texted codes, the switch to passkeys can sound like a downgrade in convenience. It is the opposite. A passkey is stored on a device the employee already carries, and signing in is a face scan, a fingerprint, or a device PIN rather than a code copied from a text message under time pressure. Here is how the two approaches compare on the things a security and operations team actually weighs.

SMS and voice codes

Phishable in real time; a fake sign-in page can relay the code to an attacker.

Vulnerable to SIM-swap and call interception.

Depends on cellular signal and carrier delivery, which slows sign-in.

Generates password-reset and code-not-arriving help-desk tickets.

Retiring as a native Entra method on February 1, 2027.

Passkeys

Phishing-resistant by design; nothing to intercept or hand over.

Cryptographically bound to the real site, defeating look-alike pages.

One-tap sign-in with a fingerprint, face, or device PIN.

No shared secret, so no code to mistype and fewer reset tickets.

The default method going forward, at no additional Microsoft licensing cost to migrate.

Microsoft supports two flavors of passkey, and most institutions will use both. Synced passkeys live in a platform credential manager such as iCloud Keychain or Google Password Manager and follow the user across their devices, which suits staff who already use one of those managers. Device-bound passkeys are created and stored on a specific device, including a passkey in Microsoft Authenticator, an Entra passkey on Windows, or a FIDO2 hardware security key for your highest-risk roles. For most staff, one of these will replace the texted code entirely.

The reason phishable factors have to go is that attackers have gotten very good at defeating them. A texted code can be relayed through a fake sign-in page in real time. Related session-theft techniques go further still: in our breakdown of device-code phishing against financial institutions, users are tricked into approving an attacker's sign-in on a genuine Microsoft page, which is exactly the kind of account takeover a phishing-resistant method is built to block. Voice codes are no safer; the same social-engineering playbook that powers deepfake voice fraud at credit unions makes a phone-call factor a liability rather than a safeguard.

ABT runs the Entra passkey migration for you

We inventory every SMS and voice user, stand up the passkey registration campaign, and drive coverage before the February 2027 cutoff.

The One Way SMS and Voice Continue

Retiring the native method does not force every institution off telephony overnight. Microsoft is keeping a door open for organizations with a legitimate business, regulatory, or technical reason to keep a text-or-call channel. Instead of Microsoft delivering those codes for free, you contract directly with a telecom provider through the Microsoft Security Store, which gives you regional control and a carrier that meets your local compliance requirements.

The customer-managed telecom path is a paid option, not a free fallback

Pricing and commercial terms through the Security Store vary by provider and region and are set by each provider you contract with. Options and terms publish on September 18, 2026, and you can select and configure a provider starting October 30, 2026. Treat this as an exception you justify for specific user segments with a documented regulatory or operational need, not as a way to avoid the migration for your whole tenant.

For the vast majority of your staff, passkeys are the right answer and the recommended path. The Security Store option exists for the narrow cases where an out-of-band text or call is genuinely needed for a documented operational or regulatory reason, or where no other method is workable. One more detail worth flagging for your identity team: the retirement applies across Entra, including self-service password reset and the methods your users have registered, so any reset flow that currently falls back to a texted code needs the same attention as your sign-in flow.

Your Migration Plan Before February 2027

You do not need a heroic project to be ready. You need five steps, run in order, starting now. Microsoft documents how to find the users you need to worry about, so the first step is quick rather than a drawn-out discovery phase.

1
Inventory

List every user still enabled for SMS or voice using Microsoft's documented method for identifying them. Anyone without another phishing-resistant method already registered is dependent on telephony and needs to move; a non-zero result means your tenant is in scope.

2
Enable passkeys

Turn on passkey (FIDO2) as an authentication method and include your SMS and voice users in a passkey-enabled Authentication Methods Policy.

3
Run the campaign

Set the registration campaign to Microsoft-managed, targeted at that group, so users are nudged to register a passkey the next time they sign in.

4
Monitor coverage

Track registration progress and follow up with the users who snooze, driving the number of telephony-dependent users toward zero, apart from any documented exception segments, well before February.

5
Decide the exceptions

Only for documented exception segments with a genuine operational or regulatory need, evaluate a Security Store telecom provider. Everyone else defaults to passkeys.

Communication is one of the biggest predictors of a smooth rollout, so pair the technical steps with a simple three-beat message to staff: tell them SMS and voice are retiring and why, direct them to register a passkey with device-specific steps, and remind the stragglers before the deadline. Scope those messages to the group of SMS and voice users you built in step one, so the right people hear from you at the right time and nobody else is confused.

Five-step Microsoft Entra ID passkey migration checklist for financial institutions: inventory SMS and voice users, enable passkeys in the Authentication Methods Policy, run the Microsoft-managed registration campaign, monitor passkey coverage, and decide Security Store telecom exceptions.
A five-step passkey migration checklist banks, credit unions, and mortgage companies can start this quarter.

How ABT Runs the Migration for You

Most institutions know exactly what needs to happen and simply do not have the identity-team hours to run a clean campaign on top of everything else this fall. That is the work we do every day. As a Tier-1 Microsoft Cloud Solution Provider, ABT manages the Microsoft 365 tenants for more than 750 banks, credit unions, and mortgage companies, which means we manage the Entra Authentication Methods Policy directly under delegated administration.

Tier-1 Cloud Solution Provider (CSP) ABT Partner Insight

Microsoft is positioning passkeys as phishing-resistant security by default, and it is retiring the native SMS and voice channel to get there. As the partner that manages your Microsoft 365 tenant, we handle the Entra Authentication Methods Policy work end to end: the SMS and voice inventory, the passkey enablement, the registration campaign, and the coverage reporting that documents for an examiner that you finished before the cutoff.

Source: Microsoft Security Blog and Microsoft Entra ID documentation, July 2026

Concretely, our M365 Guardian team inventories every SMS and voice user in your tenant, stands up and tunes the passkey registration campaign, hardens the Authentication Methods Policy, and monitors registration coverage to a documented finish before February 1, 2027. We also plan the parts a migration lives or dies on: recovery and lost-device procedures, emergency break-glass access, how shared and service accounts are handled, a pilot group before broad rollout, and a governed exception process for any segment that genuinely needs the Security Store telecom path. The outcome your leadership cares about is straightforward: faster sign-in for staff, phishing-resistant protection for the institution, and a documented migration record you can put in front of an examiner.

Passkeys close the sign-in gap, but identity threats do not stop at the login screen. The same M365 Guardian team, through our Guardian MxDR managed detection and response service, keeps watching for the account-takeover attempts and suspicious sign-ins that follow, so the passkey migration becomes one step in continuous identity protection rather than a one-time project.

Do not let February 2027 catch your tenant off guard

As your Tier 1 Microsoft Cloud Solution Provider, ABT manages the Entra Authentication Methods Policy migration end to end, sharply reducing the risk that a user hits a blocking prompt or an examiner finds a gap.

Frequently Asked Questions

Beginning September 1, 2026, Microsoft rolls out passkeys as the default authentication experience in Microsoft Entra ID. Users currently enabled for SMS or voice are automatically enabled for passkeys and are nudged to register one at their next multifactor sign-in. Being auto-enabled is not the same as being registered; the user still completes a short passkey setup step, which by default they can snooze until the February 2027 retirement.

Beginning February 1, 2027, Microsoft retires Microsoft-provided telecom delivery for SMS and voice authentication and no longer offers them as a native Entra capability. After that date, users whose only available method is SMS or voice receive a blocking prompt to register a passkey before they can continue signing in. A temporary opt-out available earlier in the rollout only delays the September-to-February transition; Microsoft states there is no opt-out from this final February enforcement and that it applies to all tenants.

Microsoft states that migrating Microsoft-provided SMS and voice users to passkeys incurs no additional Microsoft licensing cost. That statement covers the passkey method itself. It does not mean an institution has zero effort or spend around hardware security keys for high-risk roles, internal communications, or the staff time to run the migration. The path that does carry a direct charge is keeping telephony through a customer-managed provider in the Microsoft Security Store, whose pricing and commercial terms vary by provider and region.

Yes, but only through a customer-managed telecom provider selected in the Microsoft Security Store, and only where there is a legitimate business, regulatory, or technical need. Microsoft publishes provider options and terms on September 18, 2026, and organizations can select and configure a provider beginning October 30, 2026. For most user segments, Microsoft recommends passkeys as the default; the telecom path is a paid exception for specific, documented cases.

Microsoft documents how to list the users still enabled for SMS or voice in your tenant using a read-only administrative role. The users who matter most are those whose only registered method is telephony, because they have no phishing-resistant fallback. From there, include those users in a passkey-enabled Authentication Methods Policy, set the registration campaign to Microsoft-managed, and monitor coverage until only documented exception segments remain before February 1, 2027.

Yes. The retirement of native SMS and voice applies across Entra, including self-service password reset. Any reset flow that currently falls back to a texted or called code needs the same migration attention as your sign-in flow. Users can still use a Security Store telecom provider for these scenarios if you configure one, but the default and recommended path is to move users to phishing-resistant methods such as passkeys.


Justin Kirsch

Justin Kirsch

Co-Founder & CEO, Access Business Technologies

Justin Kirsch has built secure Microsoft cloud environments for financial institutions since 1999. As Co-Founder and CEO of Access Business Technologies, the largest Tier-1 Microsoft Cloud Solution Provider dedicated to financial services, he helps more than 750 banks, credit unions, and mortgage companies modernize identity, move to phishing-resistant authentication, and stay ahead of Microsoft Entra changes without disrupting the people who sign in every day.