You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/authentication/concept-authentication-methods.md
+5-2Lines changed: 5 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ ms.custom: contperf-fy20q4
21
21
22
22
Microsoft recommends passwordless authentication methods such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app because they provide the most secure sign-in experience. Although a user can sign-in using other common methods such as a username and password, passwords should be replaced with more secure authentication methods.
23
23
24
-
24
+
:::image type="content" border="true" source="media/concept-authentication-methods/authentication-methods.png" alt-text="Illustration of the strengths and preferred authentication methods in Azure AD." :::
25
25
26
26
Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.
27
27
@@ -40,6 +40,7 @@ The following table outlines the security considerations for the available authe
40
40
| Windows Hello for Business | High | High | High |
41
41
| Microsoft Authenticator app | High | High | High |
42
42
| FIDO2 security key | High | High | High |
43
+
| Certificate-based authentication (preview)| High | High | High |
43
44
| OATH hardware tokens (preview) | Medium | Medium | High |
44
45
| OATH software tokens | Medium | Medium | High |
45
46
| SMS | Medium | High | Medium |
@@ -65,13 +66,14 @@ The following table outlines when an authentication method can be used during a
65
66
| Windows Hello for Business | Yes | MFA\*|
66
67
| Microsoft Authenticator app | Yes | MFA and SSPR |
| OATH hardware tokens (preview) | No | MFA and SSPR |
69
71
| OATH software tokens | No | MFA and SSPR |
70
72
| SMS | Yes | MFA and SSPR |
71
73
| Voice call | No | MFA and SSPR |
72
74
| Password | Yes ||
73
75
74
-
> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work sucessfully.
76
+
> \* Windows Hello for Business, by itself, does not serve as a step-up MFA credential. For example, an MFA Challenge from Sign-in Frequency or SAML Request containing forceAuthn=true. Windows Hello for Business can serve as a step-up MFA credential by being used in FIDO2 authentication. This requires users to be enabled for FIDO2 authentication to work successfully.
75
77
76
78
All of these authentication methods can be configured in the Azure portal, and increasingly using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
77
79
@@ -80,6 +82,7 @@ To learn more about how each authentication method works, see the following sepa
80
82
*[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-overview)
0 commit comments