Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Authentication is a security process that verifies a user's identity before granting access to apps, services, devices, or networks.
Authentication methods supported by Microsoft Entra ID
The following table outlines when an authentication method can be used for primary authentication (first factor), secondary authentication with Microsoft Entra multifactor authentication (MFA), self-service password reset (SSPR), or account recovery.
| Method | Primary authentication | Secondary authentication | SSPR / Account recovery |
|---|---|---|---|
| Authenticator Lite | No | MFA | No |
| Certificate-based authentication | Yes | MFA | No |
| Email OTP | No | SSPR and sign-in2 | SSPR |
| External MFA | No | MFA | No |
| Hardware OATH tokens (preview) | No | MFA | SSPR |
| Microsoft Authenticator passwordless | Yes | No | No |
| Microsoft Authenticator push notifications | Yes | MFA | SSPR |
| Passkey (FIDO2) | Yes | MFA | No |
| Passkey in Microsoft Authenticator | Yes | MFA | No |
| Password | Yes | No | No |
| Platform Credential for macOS | Yes | MFA | No |
| QR code | Yes | No | No |
| SMS sign-in | Yes | MFA | SSPR |
| Software OATH tokens | No | MFA | SSPR |
| Synced passkey | Yes | MFA | No |
| Temporary Access Pass (TAP) | Yes | MFA | No |
| Verified ID3 | No | No | Account recovery |
| Voice call | No | MFA | SSPR |
| Windows Hello for Business | Yes | MFA1 | No |
1Windows Hello for Business can serve as a step-up MFA credential if a user is enabled for passkey (FIDO2) and has a passkey registered.
2Email OTP is available for tenant members for self-service password reset (SSPR). You can also configure it for sign-in by guest users.
3Verified ID is an identity verification capability, not a traditional authentication method. It provides proof of identity for account recovery but can't be used for sign-in, MFA, or SSPR.
Phishing-resistant authentication methods
While traditional MFA with SMS, email OTP, or authenticator apps significantly improves security over password-only systems, these options introduce friction — requiring additional steps for users, like entering codes, approving push notifications, or using authenticator apps. Moreover, these MFA options are prone to remote phishing attacks. In a remote phishing attack, attackers use social engineering and AI-driven tools to steal identity credentials — like passwords or one-time codes — without physical access to a user's device.
Microsoft recommends using phishing-resistant authentication methods such as Windows Hello for Business, passkeys (FIDO2) and FIDO2 security keys, or certificate-based authentication (CBA) because they provide the most secure sign-in experience.
The following phishing-resistant authentication methods are available in Microsoft Entra ID:
- Windows Hello for Business
- Platform Credential for macOS
- Synced passkeys (FIDO2)
- FIDO2 security keys
- Passkeys in Microsoft Authenticator
- Certificate-based authentication (CBA)
Verified ID identity verification
Verified ID is an identity verification capability in Microsoft Entra ID — not a traditional authentication method. It can't be used to satisfy authentication requirements like sign-in, MFA, or SSPR. Instead, Verified ID provides cryptographic proof of a user's verified identity for scenarios where trust must be re-established, such as account recovery when all authentication methods are lost.
Identity verification profiles control which users can participate in Verified ID flows, which provider performs verification, and how identity claims are validated. Admins configure profiles through the Account Recovery setup wizard in the Microsoft Entra admin center, and the Verified ID policy page provides visibility into profile assignments and global exclusions.
For more information, see Verified ID identity verification overview.
High-assurance account recovery
Account recovery is the process of helping users who have lost all their credentials and can no longer access their account. Traditionally, a user calls the help desk, answers questions to verify their identity, and the help desk resets their credentials. Microsoft Entra ID now supports government-issued ID verification with biometric matching for high-assurance account recovery — removing the need for helpdesk intervention and eliminating social engineering risks.
Organizations can choose from leading identity verification providers (IDV) through the Microsoft Security Store. These partners offer coverage across 192 countries/regions and remote verification for most government-issued ID documents, including driver's licenses and passports. Microsoft Entra Verified ID Face Check, powered by Azure AI services, verifies proof of presence by matching a user's real-time selfie to the photo from their identity document. Only the match result is shared — no sensitive identity data — which preserves user privacy while providing strong identity assurance.