L5. Authentication Methods: Passwordless, MFA and FIDO2
Video generating
Check back soon for the video lesson on Authentication Methods: Passwordless, MFA and FIDO2
Configure authentication methods for the SC-300 exam: understand the Microsoft Authenticator app, FIDO2 security keys, Windows Hello for Business, SMS/phone verification, and the authentication methods policy that governs which methods are available to your users.
Authentication Methods Policy
The authentication methods policy in Entra ID controls which methods are available for MFA and self-service password reset (SSPR). This is the centralized location where you enable or disable methods and target them to specific user groups.
Navigate to: Entra admin center > Protection > Authentication methods > Policies
Available Authentication Methods
| Method | Passwordless | Phishing-Resistant | MFA-Capable |
|---|---|---|---|
| Microsoft Authenticator (push) | Yes | No | Yes |
| Microsoft Authenticator (passkey) | Yes | Yes | Yes |
| FIDO2 Security Key | Yes | Yes | Yes |
| Windows Hello for Business | Yes | Yes | Yes |
| SMS | No | No | Yes (second factor) |
| Voice call | No | No | Yes (second factor) |
| Email OTP | No | No | Yes (second factor) |
| OATH hardware/software tokens | No | No | Yes (second factor) |
FIDO2 Security Keys
FIDO2 keys are external hardware devices (USB, NFC, or Bluetooth) that provide phishing-resistant, passwordless authentication. Configuration steps:
- Enable FIDO2 in the authentication methods policy
- Optionally restrict to specific key AAGUIDs (manufacturer allowlist)
- Users register their keys at
https://mysignins.microsoft.com
Windows Hello for Business
Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices. It uses biometrics (face, fingerprint) or a PIN bound to the device. The credential never leaves the device: Entra ID validates a signed assertion, not the biometric data.
Deployment models:
- Cloud-only: No on-premises infrastructure needed
- Hybrid key trust: Uses keys synced via Entra Connect
- Hybrid certificate trust: Uses PKI certificates from on-prem CA
Microsoft Authenticator
The Authenticator app supports multiple modes:
- Push notification: User taps Approve/Deny (not phishing-resistant)
- Number matching: Required by default since May 2023: the sign-in screen shows a number the user must type in the app
- Passkey: Device-bound credential (phishing-resistant, passwordless)
Registration Campaigns
You can configure registration campaigns to prompt users to set up specific authentication methods. This is useful when migrating users from SMS-based MFA to the Authenticator app. Registration campaigns are configured in the authentication methods policy and can target specific groups.
Combined Registration
Entra ID uses a combined registration experience where users register for both MFA and SSPR in a single flow at https://aka.ms/setupsecurityinfo. This must be enabled for modern authentication method management to work properly.
- ✓Only three methods are phishing-resistant: FIDO2 keys, Windows Hello for Business, and Authenticator passkeys
- ✓Number matching is mandatory for Authenticator push notifications to prevent MFA fatigue attacks
- ✓FIDO2 security keys work for both cloud and on-premises sign-in (with hybrid and Server 2019+ DCs)
- ✓Authentication methods policy is the centralized location to enable/disable methods and target them to user groups
- ✓Combined registration lets users register for MFA and SSPR in a single flow at aka.ms/setupsecurityinfo
1. Which authentication methods are considered phishing-resistant in Microsoft Entra ID?
2. What is the purpose of number matching in Microsoft Authenticator?
3. Where do users register their security information for both MFA and SSPR in a combined experience?