A contractor came out to my house not long ago to give me a quote. When he pulled out his phone to snap a few photos of the job, it was not a smartphone. It was a flip phone, the kind you have not seen at a store counter in a decade, the kind built to survive a fall off a ladder or a bath in drywall dust. I asked him about it. He told me he had cracked three smartphones on job sites and was done replacing them. The flip phone was not a downgrade. It was the right tool for the work he actually does.
I have been thinking about that flip phone a lot since reading Microsoft’s Message Center announcement MC1426371.
Microsoft Just Set a Deadline
On September 1, 2026, Microsoft begins automatically switching Entra ID tenants over to passkeys as the default authentication method. This happens gradually, tenant by tenant, whether an organization has planned for it or not. Third-party telecom providers become available in the Microsoft Security Store on September 18, with pricing and commercial terms published at that point. Admins can officially configure one of those providers starting October 30 if they want to keep SMS or voice MFA alive past the deadline. On February 1, 2027, Microsoft-provided SMS and voice authentication is retired for good. Anyone who has not moved to passkeys or paid for a third-party telecom provider by then loses that MFA method entirely.
Microsoft’s reasoning is not wrong. SMS and voice codes can be phished, intercepted, and socially engineered around in ways passkeys cannot. Passkeys are included in every Entra plan, so there is no license upgrade required to make the switch. From a pure security standpoint, this is the right call, and honestly overdue. I have been telling clients to move away from SMS-based MFA for years.
But knowing the right answer and being able to get there on a Microsoft-imposed timeline are two different problems, and the gap between them is where this is going to hurt.
The Technology Was Never the Hard Part
Every MSP that has tried to roll out Microsoft Authenticator or a passkey across an organization has run into the same wall, and it has nothing to do with technology. It is the phone in someone’s pocket, and whether they are willing to put a company security app on it.
We regularly run into end users, and even our own technicians, who refuse to install Microsoft Authenticator on a personal device. Some of them will tell you flatly that it is not a requirement of their job and they are not putting a company app on their own phone. Others genuinely cannot. Their phone is full, or it is old enough that the app will not run properly. Small organizations often do not have a stated policy about installing anything on personal devices in the first place, which leaves the decision sitting entirely with the end user, and the end user is not thinking about phishing resistance. They are thinking about the phone they paid for with their own money.
That hesitation is not paranoia. In March of this year, an Iran-linked group breached Stryker Corporation through a compromised Microsoft Intune admin account and used the remote wipe command to erase roughly 80,000 devices in about three hours. That included personal phones employees had enrolled through Stryker’s BYOD program. People lost photos, banking apps, and personal data alongside whatever company data was on the device. You do not have to work in medtech to have heard about that one. Every time a story like that gets around, the next conversation about installing a company authentication app on a personal phone gets harder, not easier.
Then there are the industries where the smartphone assumption breaks down completely. Educational environments do not have universal phone ownership among staff and students the way a typical office does. Construction and trade industries lean on ruggedized devices, or no smartphone at all, because a $1,000 phone does not survive a job site. My contractor with the flip phone is not an outlier. He is a preview of exactly who a passkey mandate is going to leave stuck.
The “No Extra Cost” Line Does Not Tell the Whole Story
Microsoft has been careful to point out that passkeys come at no additional cost, since they are already included in every Entra plan. That is true, and it is also not the full picture.
Microsoft is not putting a hard stop on SMS and voice MFA. They are putting a price on it. After February 2027, an organization that wants to keep using text messages and phone calls for MFA can still do it, as long as they set up and pay a third-party telecom provider through the Microsoft Security Store to deliver what Microsoft used to deliver for free. Some people are going to read that as Microsoft simply offloading a cost it no longer wants to carry, and dressing it up as a security initiative. I do not think that reading is entirely fair given how long Microsoft has been pushing organizations toward stronger authentication. But it does mean the “no extra cost” framing only holds if you actually move to passkeys. Stay on the old method, and it starts costing you money for the first time.
That is a real conversation clients need to have before February, not after. Either you invest the time now in getting users onto passkeys, or you start budgeting for a telecom bill you have never had before.
What We Are Telling Clients
Our recommendation is straightforward. Move to passkeys. If a specific end user refuses, and some will, the next option is a hardware key like a U2F device rather than falling back to SMS or voice. We are not going to tell a client to keep using a weaker method just because it is more comfortable in the short term. Microsoft has decided the security risk on SMS and voice is too high to keep supporting for free, and I agree with that assessment. Encouraging a client to stay on the less secure path, when better options exist and are already paid for, is not advice I am willing to give.
The Part That Makes This Harder to Sell
Here is what worries me more than the technology. Microsoft has a well-known pattern of announcing a hard deadline like this one, getting significant pushback, and then extending it. Again. And again. As a consultant, I have lived through the version of this where you tell a client the sky is falling, they scramble to get ready, and then Microsoft quietly pushes the deadline out another six months. When that happens enough times, clients stop believing you the next time something is genuinely urgent. I am curious to see whether Microsoft actually holds this line through February 2027, because if they do not, it makes the next deadline that much harder to get anyone to take seriously.
That contractor is probably still out there right now with his flip phone, calling a supplier about a part he needs, completely unbothered by any of this. He is not behind the times. He simply found the tool that survives the job he does every day. Passkeys are the right tool for the job Microsoft wants every organization doing. The question worth asking before September is whether your organization already knows who, among your own people, is still carrying the equivalent of that flip phone, and what happens to their access the day Microsoft stops asking nicely.