Microsoft Entra ID makes passkeys the default authentication method and retires SMS/voice MFA
Security Tool/Service
Summary
Hide ▲
Show ▼
Microsoft Entra ID will make passkeys the default authentication method starting September 2026, reducing reliance on phishable second factors across enterprise accounts. SMS and voice authentication will be retired in February 2027, pushing tenants toward phishing-resistant sign-in methods. The shift raises the baseline for account security while forcing organizations still using phone-based MFA to migrate before disruption.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
H score46
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
EvilTokens Microsoft 365 consent phishing campaign
Campaign
H score39
First: 19.05.2026 14:30
Last: 19.05.2026 14:30
Sources 1
About this happening:
The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
EvilTokens Microsoft 365 consent phishing campaign
CampaignAbout this happening: The **EvilTokens** campaign rapidly compromised **more than 340 Microsoft 365 organizations** across **five countries**, showing how **OAuth grant abuse** can bypass **MFA** and c...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Microsoft AiTM payroll pirate attack mitigation
Advisory/Mitigation
H score34
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
**Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Microsoft AiTM payroll pirate attack mitigation
Advisory/MitigationAbout this happening: **Microsoft** is urging defenders to harden **Microsoft 365** and related **HR workflows** against **AiTM**-driven payroll theft by requiring **phishing-resistant MFA**, blocking...
Storm-2755 payroll pirate campaign targeting Canadian employees
Campaign
H score29
First: 10.04.2026 14:56
Last: 10.04.2026 14:56
Sources 1
About this happening:
The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
Storm-2755 payroll pirate campaign targeting Canadian employees
CampaignAbout this happening: The **Storm-2755** campaign is stealing **Canadian employees' salary payments** by hijacking accounts through **Microsoft 365** phishing pages, creating immediate payroll-diversio...
Timeline
-
14.07.2026 15:49 2 articles · 1h ago
Microsoft Entra ID will make passkeys the default sign-in method
Initial DisclosureMicrosoft announced that Entra ID will make passkeys the default authentication method starting September 2026, automatically enabling passkeys for users still using SMS or voice authentication and retiring Microsoft-provided SMS and voice authentication across all tenants on February 1, 2027. Users already signing in with passkeys, Windows Hello for Business, FIDO2 security keys, smart cards, or other phishing-resistant methods can continue using those methods, and organizations that still need phone-based authentication must move to third-party telecom providers through the Microsoft Security Store.
Show sources
- Microsoft Entra ID gets passkeys default authentication starting September — www.bleepingcomputer.com — 14.07.2026 15:49
- Microsoft Entra ID gets passkeys default authentication starting September — www.bleepingcomputer.com — 14.07.2026 15:49