This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Microsoft Entra authentication methods.
| NIST authenticator type | Microsoft Entra authentication method |
|---|---|
| Memorized secret (something you know) |
Password QR Code (PIN) |
| Look-up secret (something you have) |
None |
| Single-factor out-of-band (something you have) |
Microsoft Authenticator app (Push Notification) Microsoft Authenticator Lite (Push Notification) Phone (SMS): Not recommended |
| Multi-factor Out-of-band (something you have + something you know/are) |
Microsoft Authenticator app (Phone Sign-In) |
| Single-factor one-time password (OTP) (something you have) |
Microsoft Authenticator app (OTP) Microsoft Authenticator Lite (OTP) Single-factor hardware/software OTP1 |
| Multi-factor OTP (something you have + something you know/are) |
Treated as single-factor OTP |
| Single-factor crypto software (something you have) |
Single-factor software certificate Microsoft Entra joined 2 with software TPM Microsoft Entra hybrid joined 2 with software TPM Compliant mobile device2 |
| Single-factor crypto hardware (something you have) |
Single-factor hardware protected certificate Microsoft Entra joined 2 with hardware TPM Microsoft Entra hybrid joined 2 with hardware TPM |
| Multi-factor crypto software (something you have + something you know/are) |
Multi-factor software certificate Windows Hello for Business with software TPM |
| Multi-factor crypto hardware (something you have + something you know/are) |
Multi-factor hardware protected certificate FIDO 2 security key Platform SSO for macOS (Secure Enclave) Windows Hello for Business with hardware TPM Passkey in Microsoft Authenticator |
1 30-second or 60-second OATH-TOTP SHA-1 token
2 For more information on device join states, see Microsoft Entra device identity
NIST does not recommend SMS or voice. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS/Voice are not recommended, they are better than using only a password, because they require more effort for hackers.
Achieve NIST AAL1 with Microsoft Entra ID
Training
Module
Describe the authentication capabilities of Microsoft Entra ID - Training
Describe the authentication capabilities of Microsoft Entra ID
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.