Insider Brief
- Microsoft is accelerating its Quantum Safe Program with a goal of moving critical products and services to post-quantum cryptography by 2029.
- The company said the transition will require organizations to identify and update cryptography across networks, stored data, identity systems, certificates, software signing and hardware.
- Microsoft said organizations should begin now by building cryptographic inventories, adopting modern protocols such as TLS 1.3 and designing systems that can change encryption methods with limited disruption.
Microsoft is moving up its deadline for quantum-safe security, a sign that major technology providers see the transition to new encryption as a near-term engineering problem rather than a distant risk. The announcement was in line with an earlier report on quantum research advances that supported its roadmap of developing a fault-tolerant quantum computer by 2029.
The company said it now aims to transition critical products and services to post-quantum cryptography by 2029, according to a Microsoft blog post by Mark Russinovich, chief technology officer of Microsoft Azure. The move accelerates the company’s Quantum Safe Program and folds post-quantum requirements into Microsoft’s Secure Future Initiative, its broader security engineering program.
The change reflects a growing concern across government and industry that future quantum computers could eventually break widely used public-key encryption systems. Those systems protect internet traffic, software updates, digital identities, financial transactions and other core parts of modern computing. While such quantum machines do not exist today, researchers and security agencies warn that the migration to safer systems will take years.
Microsoft said advances in quantum research have moved the risk horizon closer than previously expected. The company said organizations should begin preparing now because the transition will require broad changes across applications, networks, certificates, keys, identity systems and hardware.
The announcement also follows government moves to set earlier timelines for quantum-safe systems. Microsoft pointed to U.S. and French guidance that calls for adoption of quantum-safe cryptography as early as 2030 for certain high-risk systems. Those policies reflect a wider shift: regulators are increasingly treating post-quantum security as a planning requirement, not a speculative research topic.
Quantum Risk Becomes an Engineering Issue
Post-quantum cryptography refers to encryption methods designed to resist attacks from both classical computers and future quantum computers. The concern is that a powerful enough quantum computer could use algorithms that would weaken or defeat current public-key systems, including those used for secure web browsing, software signing and digital certificates.
Microsoft’s new 2029 target is aimed at giving customers more time to adapt. The company said the hardest part for most organizations will not be choosing a new algorithm. It will be finding where cryptography is already embedded.
That inventory problem is large. Cryptography is often scattered across software, cloud services, APIs, databases, identity systems, mobile devices, update tools, certificates and older applications. In many cases, algorithms are hard-coded into applications or tied to systems that were not designed to change quickly.
Microsoft said its accelerated plan focuses on three main areas: network cryptography, stored data and cryptographic trust chains.
For data moving across networks, the company said organizations should modernize protocols, including wider adoption of TLS 1.3. TLS is the protocol used to secure much of the traffic on the internet. Microsoft said TLS 1.3 creates a stronger baseline for future hybrid and post-quantum key exchange as standards mature.
For stored data, Microsoft said organizations need crypto-agility, meaning the ability to change encryption methods without rebuilding entire systems. That includes making cryptographic settings configurable, improving key rotation, standardizing key management and removing hard-coded algorithms.
For trust chains, the work is more complex. These systems include code signing, certificate issuance, key protection and software update pipelines. They are central to how devices and services prove they are legitimate. Microsoft said this area will require hardware-backed key protection, updated certificate policies, shorter or revised certificate lifetimes, and auditable signing and issuance processes.
The Harvest-Now Risk
The company also pointed to the risk known as “harvest now, decrypt later.” In that scenario, attackers collect encrypted data today and store it until future tools can decrypt it. That threat is especially relevant for governments, health care organizations, financial firms and companies holding intellectual property or other data that must remain private for many years.
Microsoft said customers and partners are already starting to respond by prioritizing long-lived sensitive data, building crypto-agility into new systems and conducting cryptographic discovery projects. Those efforts can also reveal current security gaps that exist regardless of the quantum threat, the company said.
The blog suggests that the transition as iterative, rather than waiting for final deadlines or a single mandated technology change, organizations are being urged to build systems that can change over time. That approach is intended to reduce the risk of rushed upgrades later.
The company said organizations should begin by assigning ownership, setting milestones and creating a living inventory of cryptographic dependencies. It also urged companies to modernize protocols and design new systems so algorithms can be updated with less disruption.
Microsoft’s announcement does not mean that a cryptographically relevant quantum computer is imminent. The field still faces major technical hurdles, including error correction, scale, reliability and cost. A machine capable of breaking current encryption would require capabilities beyond today’s quantum computers.
The timing is also uncertain because predictions vary widely, and no company or government can say with precision when such systems will arrive.
There are also unresolved standards and implementation issues. The National Institute of Standards and Technology has begun standardizing post-quantum algorithms, but adoption across commercial systems will take time. Many organizations must test new cryptographic methods for performance, compatibility and operational risk before deploying them broadly.
