Microsoft Entra ID security updates: Passkeys are the default authentication method in Entra ID
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key insight
Microsoft is making passkeys the default authentication method in Entra ID beginning September 1, 2026, to reduce phishing, SIM swapping, and MFA bypass attacks.
Description
Microsoft is introducing passkeys as the default authentication method in Entra ID to strengthen phishing-resistant authentication and reduce reliance on SMS and voice methods. The change responds to growing threats from AI-driven phishing campaigns with click-through rates up to 54%, as well as tactics such as SIM swapping and MFA bypass. The rollout begins September 1, 2026. This measure addresses both credential theft and social engineering attacks enabled by AI-automated privilege escalation and lateral movement.
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 0.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational