Cuir in eagar

Comhroinn trí


NIST authenticator types and aligned Microsoft Entra methods

The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Microsoft Entra authentication methods.

NIST authenticator type Microsoft Entra authentication method
Memorized secret
(something you know)
Password: Cloud accounts, federated, password hash sync, passthrough authentication
Look-up secret
(something you have)
None
Single-factor out-of-band
(something you have)
Microsoft Authenticator App (Push Notification)
Phone (SMS): Not recommended
Multi-factor Out-of-band
(something you have + something you know/are)
Microsoft Authenticator App (Passwordless)
Single-factor one-time password (OTP)
(something you have)
Microsoft Authenticator App (OTP)
Single-factor Hardware/Software OTP1
Multi-factor OTP
(something you have + something you know/are)
Treated as single-factor OTP
Single-factor crypto software
(something you have)
Single-factor software certificate
Microsoft Entra joined 2 with software TPM
Microsoft Entra hybrid joined 2 with software TPM
Compliant mobile device
Single-factor crypto hardware
(something you have)
Microsoft Entra joined 2 with hardware TPM
Microsoft Entra hybrid joined 2 with hardware TPM
Multi-factor crypto software
(something you have + something you know/are)
Multi-factor Software Certificate (PIN Protected)
Windows Hello for Business with software TPM
Multi-factor crypto hardware
(something you have + something you know/are)
Hardware protected certificate (smartcard/security key/TPM)
Windows Hello for Business with hardware TPM
FIDO 2 security key
Platform credentials for macOS

1 30-second or 60-second OATH-TOTP SHA-1 token

2 For more information on device join states, see Microsoft Entra device identity

NIST does not recommend SMS or voice. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS/Voice are not recommended, they are better than using only a password, because they require more effort for hackers.

Next steps

NIST overview

Learn about AALs

Authentication basics

NIST authenticator types

Achieve NIST AAL1 with Microsoft Entra ID

Achieve NIST AAL2 with Microsoft Entra ID

Achieve NIST AAL3 with Microsoft Entra ID