![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 28.000000000000004%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hello Kristoffer Rothstein,
This prompt is expected behavior and not related to the strength of your MFA methods.
“Let’s keep your account secure” is triggered by Security Information / SSPR enforcement, not by sign‑in MFA. Even if you use strong methods like FIDO2 or hardware security keys, Entra ID still requires at least one recovery method (phone or alternate email) for account recovery and self‑service password reset.
Hardware tokens are authentication methods, but they do not satisfy recovery requirements, which is why the prompt keeps appearing. Conditional Access or MFA policies cannot suppress this screen.
The only way to stop the prompt is to disable SSPR or exclude the user from SSPR, otherwise at least one recovery method is required by design.
https://learn.microsoft.com/en-us/entra/identity/authentication/overview-authentication
SSPR behavior: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-howitworks