Authentication Methods

Configure and manage authentication methods available to users in your organization. Control which methods are enabled, set registration requirements, and monitor adoption across passwordless, MFA, and self-service password reset options.

Authentication Method Types

Passwordless Methods (Strongest)

Eliminate passwords entirely. Most secure and convenient option.

Microsoft Authenticator — Phone sign-in with biometric/PIN. Push notification replaces password.
FIDO2 Security Keys — Hardware keys (YubiKey, Feitian). Phishing-resistant, no shared secrets.
Windows Hello for Business — Biometric or PIN tied to device. Passwordless on Windows devices.
Certificate-Based Auth — Smart card or device certificate. Enterprise PKI integration.

MFA Methods

Second factor used with password. Still requires password knowledge.

Authenticator App (TOTP) — Time-based codes from Microsoft Authenticator or third-party apps.
Authenticator Push — Approve/deny notifications with number matching for security.
SMS — Verification codes via text message. Less secure (SIM swap risk).
Voice Call — Automated call with verification code. Fallback option.

Password Recovery Methods

Methods for self-service password reset (SSPR).

Email OTP — Code sent to alternate email address. Common SSPR method.
Security Questions — Knowledge-based questions. Not recommended for MFA.

Authentication Policy

Method	Enabled	Target	Registration
Microsoft Authenticator	Yes	All users	Required
FIDO2 Security Keys	Yes	Admins only	Optional
SMS	Limited	SSPR only	Optional
Voice Call	Disabled	—	—

Registration Settings

Registration Campaign

Nudge users to register authentication methods during sign-in.

Target users — All users, specific groups, or admins
Snooze duration — How long user can postpone (1-14 days)
Enforcement — Interrupt sign-in until registration complete

Combined Registration

Single registration experience for MFA and SSPR. Users register once for both capabilities. Recommended over separate registration flows.

System-Preferred MFA

Let Microsoft choose the most secure available method for each authentication. Prioritizes passwordless over SMS.

Microsoft Authenticator Settings

Number Matching

User must enter the number shown on sign-in screen in the Authenticator app. Prevents MFA fatigue attacks. Enabled by default.

Additional Context

Show app name, geographic location, and IP address in push notification. Helps users identify suspicious requests.

Allow users to sign in without entering a password. Uses device-bound key with biometric or PIN verification.

FIDO2 Security Key Settings

Allowed Keys

Restrict to specific AAGUID (Authenticator Attestation GUID) values to enforce approved vendor keys only.

Enforce Attestation

Require keys to provide attestation certificate to verify authenticity.

Self-Service Management

Allow users to register FIDO2 keys via My Security Info portal.

Method Security Comparison

Method	Phishing Resistant	MFA Fatigue Safe	Passwordless
FIDO2 Keys	Yes	Yes	Yes
Windows Hello	Yes	Yes	Yes
Authenticator (Passwordless)	Yes	Yes	Yes
Authenticator (Push + Number)	No	Yes	No
TOTP	No	Yes	No
SMS	No	Yes	No

Best Practices

Prioritize passwordless methods — Enable FIDO2, Windows Hello, and Authenticator passwordless for all users.
Require number matching — Enable number matching for Authenticator push notifications.
Limit SMS usage — Disable SMS for MFA, allow only for SSPR if needed.
Use registration campaigns — Nudge users to register stronger authentication methods.

API Reference

GET /api/security/auth-methods-policy — Get authentication methods policy
PUT /api/security/auth-methods-policy/:method — Update method configuration
GET /api/security/auth-methods/registration-stats — Get registration statistics
GET /api/users/:id/authentication/methods — List user’s registered methods
DELETE /api/users/:id/authentication/methods/:methodId — Remove authentication method