NIST authenticator types and aligned Azure Active Directory methods

The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Azure Active Directory (Azure AD) authentication methods.

NIST authenticator type Azure AD authentication method
Memorized secret
(something you know)
Password: Cloud accounts, federated, password hash sync, passthrough authentication
Look-up secret
(something you have)
None: A look-up secret is data not held in a system
Out-of-band
(something you have)
Phone (SMS): Not recommended
Single-factor one-time password (OTP)
(something you have)
Microsoft Authenticator App OTP
Single-factor OTP (OTP manufacturers) 1
Multi-factor OTP
(something you have, know, or are)
Multi-factor OTP (OTP manufacturers) 1
Single-factor crypto software
(something you have)
Compliant mobile device
Microsoft Authenticator App (notification)
Hybrid Azure AD joined 2 with software TPM
Azure AD joined 2 with software TPM
Single-factor crypto hardware
(something you have)
Azure AD joined 2 with hardware TPM
Hybrid Azure AD joined 2 with hardware TPM
Multi-factor crypto software
(something you have, know, or are)
Microsoft Authenticator app for iOS (passwordless)
Windows Hello for Business with software TPM
Multi-factor crypto hardware
(something you have, you know, or are)
Microsoft Authenticator app for Android (passwordless)
Windows Hello for Business with hardware TPM
Smartcard (Federated identity provider)
FIDO 2 security key

1 30-second or 60-second OATH-TOTP SHA-1 token

2 For more information on device join states, see Azure AD device identity

SMS text messages meet the NIST standard, but NIST doesn't recommend them. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS text messages aren't recommended, they're better than using only a password, because they require more effort for hackers.

Next steps

NIST overview

Learn about AALs

Authentication basics

NIST authenticator types

Achieve NIST AAL1 with Azure AD

Achieve NIST AAL2 with Azure AD

Achieve NIST AAL3 with Azure AD