TempMail Ninja
//

Microsoft Entra ID Phasing Out SMS and Voice MFA for Passkeys

8 min read
TempMail Ninja
Microsoft Entra ID Phasing Out SMS and Voice MFA for Passkeys

The modern enterprise identity boundary has become the primary battleground for security operations globally. As sophisticated threat actors harness generative artificial intelligence to scale, automate, and refine credential-harvesting campaigns, legacy multi-factor authentication (MFA) protocols have rapidly transitioned from robust safeguards to major operational liabilities. In a decisive move to counter this architectural vulnerability, Microsoft officially announced on July 13, 2026, via Message Center notification MC1426371, that it is initiating a sweeping, non-negotiable overhaul of its cloud identity ecosystem. This monumental change positions Microsoft Entra ID at the absolute forefront of the passwordless revolution by making phishing-resistant passkeys the default authentication protocol, while systematically phasing out and retiring native, Microsoft-provided SMS and voice verification services.

The Technical Underpinnings of the MFA Divide: Why Telephony is Failing

For over a decade, telephony-based MFA—comprising Short Message Service (SMS) one-time passcodes and voice-call verifications—served as the baseline secondary defense for corporate accounts. It was widely adopted due to its low friction and immediate user familiarity. However, the fundamental security architecture of telecom networks is completely mismatched with the modern threat landscape. Telephony-based authentication relies on unencrypted transmission over public networks, routing through the legacy Signalling System No. 7 (SS7) protocol, and shared secrets that are highly susceptible to intercept.

Modern adversaries bypass telephony MFA with relative ease through several established vectors:

  • SIM-Swapping Attacks: Attackers utilize social engineering or collude with insider threats at mobile carriers to port a victim’s phone number to an attacker-controlled SIM card, redirecting all incoming SMS codes and voice calls.
  • SS7 Exploitation: Highly sophisticated actors exploit known architectural flaws within the global telecommunications routing system to intercept text messages in transit without the user or carrier’s knowledge.
  • Adversary-in-the-Middle (AiTM) Phishing: Platforms deploy reverse proxy frameworks that intercept both the user’s password and the subsequent SMS-delivered one-time code in real-time, instantly capturing active session tokens.

To contrast, passkeys utilize open standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C), known as FIDO2 and WebAuthn. This paradigm relies on asymmetric public-key cryptography instead of shared secrets. When a user registers a passkey, their physical device (such as a laptop, workstation, or mobile phone) generates a unique cryptographic key pair. The private key remains locked within the device’s secure hardware enclave (e.g., TPM or Secure Enclave) and is accessible only via local biometric verification—such as Face ID, touch sensors, or a local PIN. The corresponding public key is registered with Microsoft Entra ID.

During sign-in, the identity provider sends a cryptographic challenge that can only be signed by the local private key. Because this exchange is cryptographically bound to the specific domain (e.g., login.microsoftonline.com), it is mathematically impossible for a spoofed phishing domain to successfully complete the challenge. Even if a user is tricked into interacting with a malicious replica site, the browser and physical hardware refuse to sign the challenge, completely neutralizing AiTM attacks.

The Roadmap to Retirement: Critical Milestones for Administrators

This phase-out represents a massive shift for corporate IT departments and Managed Service Providers (MSPs). To prevent operational chaos, Microsoft has outlined a phased rollout schedule structured around critical milestones. Administrators must align their internal deployment playbooks with this timeline to ensure continuity of service:

  1. September 1, 2026 – The Default Passkey Rollout: Microsoft will begin automatically enabling passkeys as the default authentication experience across all Microsoft Entra ID tenants. For any user currently relying on SMS or voice as their primary MFA method, Microsoft will set the registration campaign to a “Microsoft-Managed” state. During the user’s next interactive sign-in, they will be met with a persistent “nudge” campaign guiding them to enroll a secure passkey on their device. While users will initially have the option to skip this prompt, the system will actively steer them away from legacy telephony.
  2. September 18, 2026 – Commercial Terms and the Security Store: Recognizing that certain enterprises have regulatory, legacy, or compliance mandates requiring the preservation of SMS and voice verification, Microsoft will release commercial terms, pricing models, and a list of approved third-party telecom providers. These services will be accessible via the Microsoft Security Store. Beginning October 30, 2026, administrators can officially configure these third-party carriers. However, the financial and administrative burden of maintaining telephony MFA will transition entirely to the customer, who must contract directly with these providers.
  3. February 1, 2027 – Absolute Telephony Retirement: This is the hard deadline. Native, Microsoft-provided telecom delivery of SMS codes and voice calls will be completely retired. Any tenant that has not transitioned its telephony users to phishing-resistant methods—or configured a paid third-party telecom provider—will face immediate sign-in disruption. These users will be forcibly blocked from standard sign-in until they register a secure passkey or another approved phishing-resistant factor (such as the Microsoft Authenticator app in passwordless mode or a FIDO2 hardware key).

The Threat Horizon: Deconstructing the “Pink” Vishing Threat

The transition period between the announcement of a security mandate and its final enforcement is historically a high-risk window. Threat actors rapidly adapt their tactics to exploit user confusion surrounding new security workflows. This structural risk is already manifest. Security researchers, including Okta Threat Intelligence and Palo Alto Networks Unit 42, have identified highly targeted extortion campaigns orchestrated by a threat actor tracked as O-UNC-066 (also known under the operational brand “Pink” or CL-CRI-1147).

Pink is believed to be closely linked to “The Com,” a decentralized cybercrime syndicate containing notorious social engineering groups like Scattered Spider and ShinyHunters. Their current campaign specifically targets the passkey enrollment process, utilizing domains like passkeyadd[.]com, passkeydeploy[.]com, and deploypasskey[.]com to capitalize on users’ lack of familiarity with how passkeys are registered. This pretext has successfully bypassed traditional defenses across the technology, healthcare, aviation, automotive, food and beverage, and construction sectors.

The mechanics of a Pink vishing attack are remarkably sophisticated, relying on live, operator-controlled panels rather than static phishing templates:

  • The Pretext: A live operator places a voice-phishing (vishing) call to a targeted corporate employee, pretending to be a representative from the internal IT helpdesk. The caller informs the employee that the company is undergoing a mandatory security upgrade to “passkeys” and walks them through the configuration.
  • The Live Phishing Panel: The victim is directed to a custom domain registered by the attacker that heavily utilizes the word “passkey” alongside legitimate corporate branding. This phishing kit is directly controlled by a human attacker on the backend using a live operator-controlled PHP panel. As the victim inputs their corporate credentials, the attacker replays them to the authentic Microsoft login portal in real-time.
  • MFA Relay: If the legitimate portal triggers an MFA prompt (such as an SMS code or a Microsoft Authenticator push notification), the attacker’s panel dynamically updates to mimic that exact prompt, tricking the victim into inputting the code or approving the push notification.
  • Passkey Hijacking: Once the attacker gains active access to the session, they initiate the registration of a new passkey. Crucially, the attacker registers their own physical security device as the authorized passkey for the victim’s account.
  • The Mnemonic Distraction: While the attacker secures their foothold, the victim is presented with a fake recovery screen displaying a BIP-39 mnemonic seed phrase (typically used in cryptocurrency wallets). The victim is instructed to write down and verify these words. This elaborate, time-consuming task keeps the victim occupied and distracted, ensuring they do not inspect their corporate email inbox for legitimate Microsoft notifications warning them that a new authentication device has been successfully registered to their account.

This methodology presents a massive challenge for incident response teams. Standard account remediation workflows assume that a compromised account can be secured by resetting the password and revoking active session tokens. However, because the attacker has successfully registered a legitimate, phishing-resistant passkey under their own control, they maintain persistent, high-privileged access that completely bypasses subsequent password changes and standard MFA blocks. Removing this access requires administrators to manually audit and delete the unauthorized credential from the user’s authentication methods profile within the admin center.

Preparing Your Tenant: Scanning and Managing Microsoft Entra ID Policies

To defend against both the looming retirement of native telephony and the active threat of vishing campaigns, system administrators and Security Operations Centers (SOCs) must adopt a proactive posture immediately. Securing the tenant requires a structured audit and policy enforcement strategy.

First, organizations must identify their exposure. Administrators holding the Global Reader, Security Reader, or Authentication Policy Administrator roles should utilize the Entra SMS/Voice Policy Scanner. This specialized PowerShell utility scans the tenant’s authentication policies, mapping out every user who actively relies on SMS or voice as their primary or secondary MFA method. By exporting this data, IT teams can establish a targeted list of users who require immediate outreach, onboarding support, and hands-on migration guidance.

Second, administrators must configure system-preferred authentication. By enabling this policy within the Entra portal, the system will automatically present the user with the most secure, phishing-resistant method they have registered (such as Windows Hello or an Authenticator push with number matching) during sign-in, overriding weaker options like SMS even if they are still enabled on the account.

Third, organizations must establish secure enrollment boundaries. To prevent attacks like those executed by the Pink group, administrators should restrict where and when users can register new passkeys. Enforcing Conditional Access registration policies—which require users to be on a trusted corporate network, a compliant device, or to utilize a temporary, one-time Temporary Access Pass (TAP) issued directly by a verified IT admin—ensures that an attacker cannot register a rogue device even if they manage to compromise a user’s password and secondary code via a phishing site.

Strategic Takeaways: The Cost-Shifting Equation

Beyond the immense security benefits, the transition represents a calculated economic shifting of the tectonic plates of enterprise identity. Historically, Microsoft has absorbed the transactional costs associated with sending billions of global SMS codes and telephone verifications. By retiring native telephony-based authentication and shifting organizations that require SMS to third-party providers via the Microsoft Security Store, Redmond is successfully transferring these massive operational costs directly back to the enterprise.

For organizations, this creates a dual incentive to migrate: not only does adopting passkeys dramatically improve their security posture and protect against advanced vishing groups like Pink, but it also eliminates the potential long-term telecom costs that will be incurred after the February 1, 2027 cutoff. By forcing a hard pivot to asymmetric cryptography and device-bound biometrics, Microsoft is effectively closing the book on the era of phishable secrets. While the transition will demand significant administrative effort and user education over the coming months, the alternative—remaining exposed to automated, AI-driven credential theft and devastating vishing campaigns—is simply no longer an option. The clock is ticking, and the time to migrate is now.

TN

Written by

TempMail Ninja

Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.