NIST authenticator types and aligned Microsoft Entra methods
The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Microsoft Entra authentication methods.
NIST authenticator type | Microsoft Entra authentication method |
---|---|
Memorized secret (something you know) |
Password: Cloud accounts, federated, password hash sync, passthrough authentication |
Look-up secret (something you have) |
None |
Single-factor out-of-band (something you have) |
Microsoft Authenticator App (Push Notification) Phone (SMS): Not recommended |
Multi-factor Out-of-band (something you have + something you know/are) |
Microsoft Authenticator App (Passwordless) |
Single-factor one-time password (OTP) (something you have) |
Microsoft Authenticator App (OTP) Single-factor Hardware/Software OTP1 |
Multi-factor OTP (something you have + something you know/are) |
Treated as single-factor OTP |
Single-factor crypto software (something you have) |
Single-factor software certificate Microsoft Entra joined 2 with software TPM Microsoft Entra hybrid joined 2 with software TPM Compliant mobile device |
Single-factor crypto hardware (something you have) |
Microsoft Entra joined 2 with hardware TPM Microsoft Entra hybrid joined 2 with hardware TPM |
Multi-factor crypto software (something you have + something you know/are) |
Multi-factor Software Certificate (PIN Protected) Windows Hello for Business with software TPM |
Multi-factor crypto hardware (something you have + something you know/are) |
Hardware protected certificate (smartcard/security key/TPM) Windows Hello for Business with hardware TPM FIDO 2 security key Platform credentials for macOS |
1 30-second or 60-second OATH-TOTP SHA-1 token
2 For more information on device join states, see Microsoft Entra device identity
Public Switch Telephone Network (PSTN) SMS/Voice are not recommended
NIST does not recommend SMS or voice. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS/Voice are not recommended, they are better than using only a password, because they require more effort for hackers.
Next steps
Achieve NIST AAL1 with Microsoft Entra ID