Compliance

Passkeys vs SMS MFA: Beat Microsoft's 2026 Deadline

Passkeys vs SMS MFA: Beat Microsoft's 2026 Deadline

Know what attackers see before they do. See a sample Radar scan report →

If your small business is still using SMS or voice codes to protect Microsoft 365 accounts, you have a hard deadline staring you down: September 1, 2026. That's when Microsoft officially retires SMS and voice-based authentication in Microsoft Entra. No grace period. No opt-out. Accounts that aren't migrated will lose their MFA method — and depending on your Conditional Access policies, that could mean lockouts, helpdesk chaos, or worse: a gap attackers will find before you do.

But here's what makes this more than a compliance checkbox: SMS MFA was already losing the fight before Microsoft pulled the plug.

MFA Was There — And It Still Failed

The most uncomfortable data point in recent security reporting comes from a July 2026 analysis by Security News: MFA was deployed in 97% of credential-based ransomware attacks — and still failed to stop the breach. Read that again. Nearly every victim had MFA turned on. The attackers got in anyway.

How? Because SMS-based MFA is trivially bypassable with the right tools. SIM swapping, SS7 protocol attacks, real-time phishing proxies, and session token theft all render SMS codes useless. The code arrives. The attacker intercepts it or already has your session. Game over.

This isn't theoretical. According to The Hacker News, the ACR Stealer — an active infostealer being distributed through ClickFix lures — is specifically targeting browser session tokens and Microsoft 365 credential files. Once a stealer grabs your authenticated session token, your SMS code is irrelevant. The attacker is already logged in as you. We covered how ClickFix attacks work in detail in our ClickFix fake CAPTCHA attack guide — and the threat has only escalated since.

And the broader Microsoft security environment? According to Krebs on Security, Microsoft patched a record 570 security flaws in a single cycle this year — a volume driven in part by AI-assisted vulnerability discovery. The Microsoft ecosystem is under more pressure than ever. Weak authentication is the lowest-hanging fruit for anyone targeting your organization.

What Microsoft Is Actually Changing

Starting September 1, 2026, Microsoft Entra will no longer support SMS or voice call authentication as MFA methods. This affects:

  • Microsoft 365 Business users with SMS-based MFA configured
  • Azure AD / Entra ID tenants using legacy MFA settings
  • SSPR (Self-Service Password Reset) flows that rely on phone-based verification
  • Any MSP-managed tenant that hasn't been migrated

Microsoft's preferred replacements are passkeys (FIDO2), the Microsoft Authenticator app (with number matching enabled), and certificate-based authentication for enterprise environments. Of these, passkeys are the most phishing-resistant option available to small businesses without enterprise infrastructure.

Passkeys vs. SMS vs. Authenticator Apps: The Real Difference

Not all MFA is equal. Here's the practical breakdown:

SMS/Voice codes — Being retired. Interceptable via SIM swap, SS7 attacks, real-time phishing proxies, and session token theft. Provides false confidence.

TOTP Authenticator apps (Google Authenticator, Authy) — Better than SMS, but still vulnerable to real-time phishing. An attacker can proxy your login, capture the code you enter, and replay it within the 30-second window. Still bypassed by session token stealers.

Microsoft Authenticator with number matching — Significantly better. Harder to phish because the user must match a number shown on screen. Still app-dependent and can be fatigue-attacked.

Passkeys (FIDO2/WebAuthn) — Cryptographically bound to the specific website and device. There is no code to intercept. No credential to steal. No phishing proxy that works. The private key never leaves your device. This is what "phishing-resistant" actually means.

For small businesses, passkeys can be stored on: - A hardware security key (YubiKey, Google Titan — $25–$50/user) - A Windows Hello for Business device (fingerprint or face recognition) - An iPhone or Android device using biometric unlock

The hardware key option is particularly strong for high-value accounts like your Microsoft 365 Global Admin, finance team, or anyone with access to sensitive client data.

Your Migration Checklist Before September 1, 2026

Don't wait for Microsoft to force the issue. Here's what to do now:

  1. Audit your current MFA methods. In Microsoft Entra admin center, go to Users → Authentication Methods → Activity. Filter for users still relying on SMS or voice. Export the list.

  2. Enable the Authentication Methods Policy. Migrate away from the legacy per-user MFA portal. The newer Authentication Methods policy in Entra gives you granular control over which methods are allowed per group.

  3. Enable FIDO2 security keys or passkeys in Entra. Under Authentication Methods → Policies, enable FIDO2 Security Keys. Set enforcement to specific groups first (IT admins, privileged users) before rolling out broadly.

  4. Deploy Microsoft Authenticator with number matching for everyone else. If passkeys aren't immediately practical for all users, Authenticator with number matching is your interim step — it's already available and blocks most MFA fatigue attacks.

  5. Update SSPR settings. Ensure Self-Service Password Reset doesn't fall back to SMS after your main MFA migration. SSPR has its own authentication method settings that need to be updated separately.

  6. Communicate with users before the cutover. Account lockouts generate helpdesk tickets. A one-page guide sent two weeks before your migration date prevents most of the chaos.

  7. Test with a pilot group first. Pick 5–10 users across different roles, migrate them, verify they can log in cleanly, then roll out org-wide.

If you're managing Conditional Access policies alongside this migration, our guide on Conditional Access policy setup order for small businesses covers the sequencing that prevents accidental lockouts during changes like this.

Government Contractors: This Is Also a CMMC Issue

If your organization handles Controlled Unclassified Information (CUI) and is working toward CMMC Level 1 or Level 2 compliance, phishing-resistant MFA isn't optional — it's increasingly the expected standard. CMMC Level 2 specifically references NIST 800-171 control 3.5.3, which requires multi-factor authentication for local and network access. Using SMS-based MFA for accounts that touch CUI data is an audit finding waiting to happen. Passkeys satisfy this control in a way SMS codes simply don't. For a broader look at what CMMC Level 1 requires, see our CMMC Level 1 compliance guide for small businesses.

The Bottom Line

Microsoft isn't retiring SMS MFA because it's inconvenient. They're retiring it because it doesn't work against the attacks that are actually happening right now. The ACR Stealer is active. Session token theft is real. And 97% of credential-based ransomware victims had MFA turned on when they got hit.

Passkeys are the answer — not because they're trendy, but because they're the first authentication method that closes the door phishing attacks have been walking through for years. You have until September 1, 2026. That's enough time to do this right, but not enough time to procrastinate.


Take Action

Authentication gaps are one of the most common findings in small business security assessments — and they're rarely visible until something breaks. Before you migrate your MFA setup, it's worth knowing what else might be exposed in your Microsoft 365 environment or network perimeter.

Oscar Six Security's Radar ($99/scan) gives you an attacker's-eye view of your external exposure — open ports, misconfigured services, credential risks, and more — so you're fixing real problems, not guessing. It's the kind of proactive check that catches issues before they become incidents.

See what Radar covers →

Focus Forward. We've Got Your Six.

Frequently Asked Questions

What happens to my Microsoft 365 accounts when SMS MFA is retired in September 2026?

If users have SMS or voice calls configured as their only MFA method, they will lose that authentication option on September 1, 2026. Depending on your Conditional Access policies, this could result in login failures or account lockouts until a new method is registered. Migrating users to passkeys or the Microsoft Authenticator app before the deadline prevents disruption.

Are passkeys actually more secure than SMS codes for Microsoft 365?

Yes, significantly. SMS codes can be intercepted via SIM swapping, SS7 attacks, or real-time phishing proxies — and stolen session tokens bypass them entirely. Passkeys are cryptographically bound to the specific website and device, meaning there is no code to intercept and no credential a phishing page can capture. They are the only authentication method that is genuinely phishing-resistant.

How much does it cost to deploy passkeys for a small business?

Hardware security keys like YubiKeys run $25–$50 per user and are the strongest option for high-value accounts. For most employees, passkeys can be stored on existing smartphones or Windows Hello-enabled devices at no additional hardware cost. The migration work itself is administrative — done in Microsoft Entra — and requires no paid add-ons for most Microsoft 365 Business plans.

Do I need passkeys for CMMC Level 1 compliance?

CMMC Level 1 requires multi-factor authentication, but Level 2 (aligned to NIST 800-171) increasingly expects phishing-resistant MFA for accounts accessing Controlled Unclassified Information. SMS-based MFA is a known weak control that auditors are flagging. Passkeys satisfy the MFA requirement in a way that holds up to scrutiny. Oscar Six Security's Radar scan can help identify authentication gaps and other exposures before a formal audit.

What MFA method should small businesses use instead of SMS after September 2026?

Microsoft recommends passkeys (FIDO2 security keys or device-based passkeys) as the most secure option, followed by Microsoft Authenticator with number matching enabled. TOTP apps like Google Authenticator are better than SMS but still vulnerable to real-time phishing. For most small businesses, deploying Microsoft Authenticator with number matching as a baseline and passkeys for admin accounts is the practical starting point.

Step-by-Step Guide

  1. Audit current MFA methods

    In Microsoft Entra admin center, navigate to Users → Authentication Methods → Activity and filter for users still registered with SMS or voice call. Export this list as your migration target.

  2. Enable Authentication Methods Policy

    Switch from the legacy per-user MFA portal to the Entra Authentication Methods policy. This gives you group-level control over which methods are permitted and is required for managing passkeys at scale.

  3. Enable FIDO2 passkeys in Entra

    Under Authentication Methods → Policies, enable FIDO2 Security Keys. Start enforcement with a pilot group of IT admins and privileged users before rolling out to the full organization.

  4. Deploy Authenticator with number matching

    For users where passkeys aren't immediately practical, enable Microsoft Authenticator with number matching as an interim measure. This blocks MFA fatigue attacks and is a significant improvement over SMS.

  5. Update SSPR authentication settings

    Self-Service Password Reset has its own authentication method configuration separate from main MFA settings. Update SSPR to remove SMS/voice options so the fallback path doesn't reintroduce the vulnerability you just closed.

  6. Communicate and pilot before cutover

    Send users a one-page guide explaining the change at least two weeks before migration. Run a pilot with 5–10 users across different roles, confirm clean logins, then roll out org-wide to minimize helpdesk load.

Find out what's exposed. Radar scans your external attack surface and shows you exactly what needs fixing. See a sample report →