NIST authenticator types and aligned Azure Active Directory methods
The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Azure Active Directory (Azure AD) authentication methods.
| NIST authenticator type | Azure AD authentication method |
|---|---|
| Memorized secret (something you know) |
Password: Cloud accounts, federated, password hash sync, passthrough authentication |
| Look-up secret (something you have) |
None: A look-up secret is data not held in a system |
| Out-of-band (something you have) |
Phone (SMS): Not recommended |
| Single-factor one-time password (OTP) (something you have) |
Microsoft Authenticator App OTP Single-factor OTP (OTP manufacturers) 1 |
| Multi-factor OTP (something you have, know, or are) |
Multi-factor OTP (OTP manufacturers) 1 |
| Single-factor crypto software (something you have) |
Compliant mobile device Microsoft Authenticator App (notification) Hybrid Azure AD joined 2 with software TPM Azure AD joined 2 with software TPM |
| Single-factor crypto hardware (something you have) |
Azure AD joined 2 with hardware TPM Hybrid Azure AD joined 2 with hardware TPM |
| Multi-factor crypto software (something you have, know, or are) |
Microsoft Authenticator app for iOS (passwordless) Windows Hello for Business with software TPM |
| Multi-factor crypto hardware (something you have, you know, or are) |
Microsoft Authenticator app for Android (passwordless) Windows Hello for Business with hardware TPM Smartcard (Federated identity provider) FIDO 2 security key |
1 30-second or 60-second OATH-TOTP SHA-1 token
2 For more information on device join states, see Azure AD device identity
SMS isn't recommended
SMS text messages meet the NIST standard, but NIST doesn't recommend them. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS text messages aren't recommended, they're better than using only a password, because they require more effort for hackers.
Next steps
Achieve NIST AAL1 with Azure AD