![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
25,081 questions
Thank you for asking, any passwordless (non-phishing) Strong credentials are recommended to have for end users (WHFB, CBA, FIDO2, Phone sign-in). Those credentials satisfy the MFA requirement.
The notion of enabling "Number matching" is Microsoft security observed MFA fatigue with Push notification.
To avoid compromising user by simply approving the "push notification" as they are not aware is it genuine or attacker initiated
Number match would prevent the compromise. since end user don't know the number to pass if attacker initiated the session for MFA or passwordless phone sign-ins.
For solution wise, it really depends what devices end users have and What type of users (Cloud only or on-prem synced)
- If all windows 10 21H2/win11 physical machines with TPM, WHFB Hybrid Cloud trust works, no PKI involved -elegant solution
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune - If you have PKI infra already established and CDP published over HTTP. certificate can be pushed to users. you can use CBA auth at AAD.
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication
Note: it has few unsupported scenarios, take look at those in the document
If you can push certificate to mobile devices, you can think of CBA as alternative options
3.FIDO2 not yet supported by all browsers , Cost associated with buying FIDO2 keys
https://learn.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility#supported-browsers
- If you don't want to hang on to on-prem. Planning to issue a new device for future users. Azure AD to manage the auth for users from managed domain.
use TAP to complete OOBE setup and join the device to AADJ (cloud domain join) and complete WHFB
use VPN (rarely if they need to) connect on-prem from AADJ.
- Phone sign-in - I don't need to explain. since you mentioned not look into Phone sign-ins options. as end user have to go through some above simple & secure auth method available
Please review with your org identity architect and then decide what suits best for you
Happy Thanksgiving!
Feel free to reach if any additional questions.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)