Some time after 1 September, people in your business are going to see a new prompt when they sign in to Microsoft 365: register a passkey. Here is the readiness test, in one question. Will they know whether it is real?

In most small businesses, honestly, no. Nobody will have told them it was coming, nobody will know whether clicking it is safe, and the decision will be made individually, at nine in the morning, by whoever hits it first. That is what unreadiness looks like, and it is entirely avoidable, because Microsoft has published the whole timeline.

This post covers what is changing, why it is genuinely good news, and the six questions that tell you whether your business is ready for it.

What Microsoft announced

On 13 July, Microsoft confirmed two changes to how everyone signs in to Microsoft 365 and the wider Entra identity platform.

From 1 September 2026, passkeys become the default. Users who currently verify sign-ins with text message codes or voice calls will be automatically enabled for passkeys and nudged to register one the next time they complete multi-factor authentication. The rollout is gradual across tenants, and the prompt can initially be skipped.

From 1 February 2027, Microsoft-provided text message and voice authentication is retired. This is the hard edge. After that date, a user whose only sign-in method is a phone code hits a blocking prompt: register a passkey or do not get in. There is no opt-out of the February enforcement. The retirement also covers self-service password reset. Businesses with a genuine regulatory or operational need to keep phone-based codes can contract a third-party telecom provider through Microsoft’s marketplace, at their own cost, configurable from 30 October.

Nothing changes for organisations already using phishing-resistant methods such as Windows Hello for Business, security keys or existing passkeys. This lands squarely on the businesses still relying on codes sent by text, which, in the small business world, is most of them.

What a passkey is, in plain English

A passkey is a cryptographic key that lives on your device, a phone, laptop or security key, and gets unlocked by your fingerprint, face or device PIN. When you sign in, your device proves it holds the key. There is no password to type and no code to read out, which means there is nothing for a phishing site to capture and nothing for a criminal to talk your staff into handing over.

That last part is the whole point. Text message codes were a huge improvement on passwords alone, but they can be phished in real time, intercepted, or stolen through SIM-swapping, and criminals have become industrially good at all three. Microsoft’s own threat intelligence reports that phishing campaigns assisted by artificial intelligence achieve click-through rates approaching 54%, against roughly 12% for traditional ones. The economics of stealing codes have never been better, which is exactly why Microsoft is removing the codes.

So the direction is right. The question is readiness.

The readiness test: six questions

  • Do you know who signs in with text codes today? Microsoft publishes a script that lists every user still relying on text or voice authentication. If nobody in or around your business can run it, that is finding number one. The people it identifies with no other sign-in method are the ones who hit a blocking prompt in February 2027.
  • Do any administrator accounts rely on a phone code? An administrator account protected only by a text message is the account most worth stealing, secured by the method easiest to steal. Whatever else you take from this post, fix those first, and while you are there, confirm they are separate accounts used only for administration.
  • What happens to shared accounts? The info@ mailbox, the accounts system login the whole office uses. A passkey belongs to a person and a device, which is precisely why shared credentials do not fit, and never really did. This change forces a conversation you probably needed to have anyway.
  • What is your position on personal phones? Passkeys live on devices. If your staff sign in from personal mobiles, their work passkey will live on hardware you do not manage. That is workable, but it should be a decision, written down, not an accident discovered later.
  • Will your people recognise the real prompt? Criminals read Microsoft announcements too, and a well-publicised change window is a gift to them: expect convincing fake "register your passkey now" emails aimed at exactly the confusion this transition creates. Ten minutes of communication, this is coming, this is what the genuine prompt looks like, here is who to ask, removes the gap those attacks live in.
  • Who owns this in your business? Not "who is technical", but who is accountable for the plan, the timeline and the communication. If the answer is nobody, this change is a small, dated example of a much bigger gap.

The bigger point

If your business achieved Cyber Essentials recently, you may feel entitled to a groan here. You finally switched multi-factor authentication on everywhere, probably using text codes because they were the easy option, and now the ground is moving again.

That is the reality of security in 2026, and it is worth saying without varnish: it is not a project you finish, it is a condition you maintain. Vendors retire things. Attackers adapt. Requirements tighten, as they did when Cyber Essentials raised its bar in April. The businesses that handle this change calmly will be the ones where somebody owns security as a standing responsibility, reads announcements like this in July, and has a plan before September. That ownership is exactly what our fractional security leadership exists to provide, at a scale small businesses can justify.

And the change itself deserves a warmer welcome than most Microsoft mandates. Passkeys are included in every Entra plan at no extra cost, they are faster for staff than waiting for a code, and they close off the single most common way small businesses get breached through their cloud accounts. This is one of the rare security transitions where the secure option is also the convenient one.

What to do this quarter

Identify your text-code users now, move administrator accounts to phishing-resistant methods first, decide your policy on shared accounts and personal devices, brief your staff before September so the real prompt is expected, and set a completion date well before February 2027 rather than at it. If your Microsoft 365 is looked after by a provider, ask them one question: what is your plan for the passkey transition, per user, by date? The quality of the answer will tell you a great deal.

If you want help with the transition, or an honest read on whether your Microsoft 365 tenant is configured the way your provider says it is, our Microsoft 365 security review covers exactly this ground, and it pairs naturally with the question of whether your Conditional Access policies are doing what you think. Get in touch and we will tell you where you stand.


Sources: Microsoft Security Blog, “Microsoft Entra ID security updates: passkeys are the default authentication method in Entra ID”, 13 July 2026; Microsoft Learn, “Passkeys by default and retirement of Microsoft-provided SMS and voice authentication”. Phishing click-through figures: Microsoft Threat Intelligence.