If your small business is still using SMS or voice codes to protect Microsoft 365 accounts, you have a hard deadline staring you down: September 1, 2026. That's when Microsoft officially retires SMS and voice-based authentication in Microsoft Entra. No grace period. No opt-out. Accounts that aren't migrated will lose their MFA method — and depending on your Conditional Access policies, that could mean lockouts, helpdesk chaos, or worse: a gap attackers will find before you do.
But here's what makes this more than a compliance checkbox: SMS MFA was already losing the fight before Microsoft pulled the plug.
MFA Was There — And It Still Failed
The most uncomfortable data point in recent security reporting comes from a July 2026 analysis by Security News: MFA was deployed in 97% of credential-based ransomware attacks — and still failed to stop the breach. Read that again. Nearly every victim had MFA turned on. The attackers got in anyway.
How? Because SMS-based MFA is trivially bypassable with the right tools. SIM swapping, SS7 protocol attacks, real-time phishing proxies, and session token theft all render SMS codes useless. The code arrives. The attacker intercepts it or already has your session. Game over.
This isn't theoretical. According to The Hacker News, the ACR Stealer — an active infostealer being distributed through ClickFix lures — is specifically targeting browser session tokens and Microsoft 365 credential files. Once a stealer grabs your authenticated session token, your SMS code is irrelevant. The attacker is already logged in as you. We covered how ClickFix attacks work in detail in our ClickFix fake CAPTCHA attack guide — and the threat has only escalated since.
And the broader Microsoft security environment? According to Krebs on Security, Microsoft patched a record 570 security flaws in a single cycle this year — a volume driven in part by AI-assisted vulnerability discovery. The Microsoft ecosystem is under more pressure than ever. Weak authentication is the lowest-hanging fruit for anyone targeting your organization.
What Microsoft Is Actually Changing
Starting September 1, 2026, Microsoft Entra will no longer support SMS or voice call authentication as MFA methods. This affects:
- Microsoft 365 Business users with SMS-based MFA configured
- Azure AD / Entra ID tenants using legacy MFA settings
- SSPR (Self-Service Password Reset) flows that rely on phone-based verification
- Any MSP-managed tenant that hasn't been migrated
Microsoft's preferred replacements are passkeys (FIDO2), the Microsoft Authenticator app (with number matching enabled), and certificate-based authentication for enterprise environments. Of these, passkeys are the most phishing-resistant option available to small businesses without enterprise infrastructure.
Passkeys vs. SMS vs. Authenticator Apps: The Real Difference
Not all MFA is equal. Here's the practical breakdown:
SMS/Voice codes — Being retired. Interceptable via SIM swap, SS7 attacks, real-time phishing proxies, and session token theft. Provides false confidence.
TOTP Authenticator apps (Google Authenticator, Authy) — Better than SMS, but still vulnerable to real-time phishing. An attacker can proxy your login, capture the code you enter, and replay it within the 30-second window. Still bypassed by session token stealers.
Microsoft Authenticator with number matching — Significantly better. Harder to phish because the user must match a number shown on screen. Still app-dependent and can be fatigue-attacked.
Passkeys (FIDO2/WebAuthn) — Cryptographically bound to the specific website and device. There is no code to intercept. No credential to steal. No phishing proxy that works. The private key never leaves your device. This is what "phishing-resistant" actually means.
For small businesses, passkeys can be stored on: - A hardware security key (YubiKey, Google Titan — $25–$50/user) - A Windows Hello for Business device (fingerprint or face recognition) - An iPhone or Android device using biometric unlock
The hardware key option is particularly strong for high-value accounts like your Microsoft 365 Global Admin, finance team, or anyone with access to sensitive client data.
Your Migration Checklist Before September 1, 2026
Don't wait for Microsoft to force the issue. Here's what to do now:
-
Audit your current MFA methods. In Microsoft Entra admin center, go to Users → Authentication Methods → Activity. Filter for users still relying on SMS or voice. Export the list.
-
Enable the Authentication Methods Policy. Migrate away from the legacy per-user MFA portal. The newer Authentication Methods policy in Entra gives you granular control over which methods are allowed per group.
-
Enable FIDO2 security keys or passkeys in Entra. Under Authentication Methods → Policies, enable FIDO2 Security Keys. Set enforcement to specific groups first (IT admins, privileged users) before rolling out broadly.
-
Deploy Microsoft Authenticator with number matching for everyone else. If passkeys aren't immediately practical for all users, Authenticator with number matching is your interim step — it's already available and blocks most MFA fatigue attacks.
-
Update SSPR settings. Ensure Self-Service Password Reset doesn't fall back to SMS after your main MFA migration. SSPR has its own authentication method settings that need to be updated separately.
-
Communicate with users before the cutover. Account lockouts generate helpdesk tickets. A one-page guide sent two weeks before your migration date prevents most of the chaos.
-
Test with a pilot group first. Pick 5–10 users across different roles, migrate them, verify they can log in cleanly, then roll out org-wide.
If you're managing Conditional Access policies alongside this migration, our guide on Conditional Access policy setup order for small businesses covers the sequencing that prevents accidental lockouts during changes like this.
Government Contractors: This Is Also a CMMC Issue
If your organization handles Controlled Unclassified Information (CUI) and is working toward CMMC Level 1 or Level 2 compliance, phishing-resistant MFA isn't optional — it's increasingly the expected standard. CMMC Level 2 specifically references NIST 800-171 control 3.5.3, which requires multi-factor authentication for local and network access. Using SMS-based MFA for accounts that touch CUI data is an audit finding waiting to happen. Passkeys satisfy this control in a way SMS codes simply don't. For a broader look at what CMMC Level 1 requires, see our CMMC Level 1 compliance guide for small businesses.
The Bottom Line
Microsoft isn't retiring SMS MFA because it's inconvenient. They're retiring it because it doesn't work against the attacks that are actually happening right now. The ACR Stealer is active. Session token theft is real. And 97% of credential-based ransomware victims had MFA turned on when they got hit.
Passkeys are the answer — not because they're trendy, but because they're the first authentication method that closes the door phishing attacks have been walking through for years. You have until September 1, 2026. That's enough time to do this right, but not enough time to procrastinate.
Take Action
Authentication gaps are one of the most common findings in small business security assessments — and they're rarely visible until something breaks. Before you migrate your MFA setup, it's worth knowing what else might be exposed in your Microsoft 365 environment or network perimeter.
Oscar Six Security's Radar ($99/scan) gives you an attacker's-eye view of your external exposure — open ports, misconfigured services, credential risks, and more — so you're fixing real problems, not guessing. It's the kind of proactive check that catches issues before they become incidents.
Focus Forward. We've Got Your Six.