News
Microsoft Makes Passkeys the Entra ID Default as Identity Attacks Grow Stealthier
Microsoft will make passkeys the default authentication method in Entra ID and phase out its native delivery of SMS and voice authentication, a major shift aimed at reducing organizations' dependence on credentials that attackers can intercept or steal.
Beginning Sept. 1, Microsoft will automatically enable passkeys for Entra ID users who are configured for SMS or voice authentication. Those users will be prompted to register a passkey the next time they complete a multifactor authentication challenge.
Microsoft will stop providing SMS and voice delivery on Feb. 1, 2027. Organizations that still need those methods for regulatory, technical or business reasons will be able to contract with third-party telecom providers through the Microsoft Security Store.
"We strongly recommend moving users to passkeys" as soon as possible, Microsoft said.
Passkeys replace shared secrets with public-key cryptography. That design makes them resistant to traditional phishing because the private credential remains on the user’s device and is tied to the legitimate service requesting authentication.
Microsoft said SMS and voice helped expand multifactor authentication to billions of users but argued that attackers have developed techniques that make those methods increasingly unreliable.
"The threat environment has evolved beyond their capabilities," the company said.
Microsoft cited phishing, SIM swapping and multifactor authentication bypass among the threats driving the change. The company also said AI-assisted phishing campaigns have produced click-through rates as high as 54 percent, compared with about 12 percent for more traditional campaigns.
We need to evolve with it," Microsoft said.
The announcement came the same day Proofpoint detailed a technique that shows how attackers are finding quieter ways to probe Entra ID environments and identify usable credentials.
Proofpoint researchers said threat actors are spoofing OAuth client IDs, the identifiers assigned to applications during authentication requests. By supplying fake or randomly generated IDs, attackers can use differences in Entra ID error responses to determine whether an account exists and whether a password is valid.
"Spoofed client IDs enable account enumeration" without a registered application, Proofpoint said.
The technique can also avoid producing a successful sign-in event. In some cases, the application name field in Entra ID logs is left blank, making malicious activity harder to correlate through detections focused on known applications.
Proofpoint observed one campaign targeting more than 1 million accounts across nearly 4,000 tenants. Another campaign targeted more than 2 million users while cycling through 3.7 million spoofed application IDs. The differences between the campaigns suggested multiple threat actors had independently adopted the method.
The research does not suggest passkeys will prevent account enumeration. It does, however, reinforce the value of eliminating reusable passwords and phishable second factors. An attacker who identifies a valid account or password gains less leverage when authentication requires a cryptographic credential bound to a legitimate service.
Proofpoint said defenders should watch for sign-in records with blank application fields and treat certain application identifier errors as possible evidence of compromised credentials rather than routine failed logins.
For Entra ID administrators, Microsoft recommends identifying users who still depend on SMS or voice, planning a passkey rollout and preparing users for registration prompts before the September transition.