Microsoft is killing SMS-based MFA. Here’s what that actually means for you.

Microsoft just put a hard date on the wall: passkeys become the default authentication method in Entra ID from September 1, 2026. SMS and voice-based MFA get switched off entirely on February 1, 2027.

If you’re running a business with 50 to 200 people, an IT function but no dedicated security team, there’s a good chance you’re still using SMS codes to log into Microsoft 365 today. That’s about to stop being an option.

Why this isn’t just a Microsoft housekeeping notice

SMS-based MFA has always been the “good enough” option – better than a password alone, weak against a determined attacker. The problem is attackers have gotten a lot more determined.

Microsoft’s own threat intelligence puts AI-assisted phishing click-through rates at roughly 54%, against about 12% for older-style phishing. That’s not a small shift. It means the codes-over-SMS model, which relies on a human not falling for a fake login page, is failing far more often than it used to.

Passkeys close that gap differently: there’s no code to steal, no shared secret to relay through a proxy site in real time. The login is tied cryptographically to your device. A phishing page simply has nothing to capture.

What to actually do before the deadline

Eighteen months sounds like plenty of runway. It isn’t, if nobody’s started.

  • Find out who’s still on SMS or voice MFA. Microsoft’s SMS/Voice Policy Scanner will tell you in an afternoon.
  • Plan the migration in phases, not as a big-bang rollout. Passkeys, Windows Hello for Business, and FIDO2 keys are the main options depending on your environment.
  • If you have a genuine reason to keep phone-based auth – a legacy app, a regulatory requirement — start pricing third-party telecom options through the Microsoft Security Store now, not in December 2026.
  • Budget time for user education. The technology is simple. Getting a few hundred staff to actually enrol without a support desk meltdown is the part that trips people up.

This is identity infrastructure, not a UX refresh and identity is consistently where the real damage happens in a breach, not the network edge. If you want a straight read on where your organisation stands against this timeline, that’s a conversation we’re happy to have.

Leave a Reply