NIST authenticator types and aligned Microsoft Entra methods
The authentication process begins when a claimant asserts its control of one of more authenticators associated with a subscriber. The subscriber is a person or another entity. Use the following table to learn about National Institute of Standards and Technology (NIST) authenticator types and associated Microsoft Entra authentication methods.
| NIST authenticator type | Microsoft Entra authentication method |
|---|---|
| Memorized secret (something you know) |
Password |
| Look-up secret (something you have) |
None |
| Single-factor out-of-band (something you have) |
Microsoft Authenticator app (Push Notification) Microsoft Authenticator Lite (Push Notification) Phone (SMS): Not recommended |
| Multi-factor Out-of-band (something you have + something you know/are) |
Microsoft Authenticator app (Phone Sign-In) |
| Single-factor one-time password (OTP) (something you have) |
Microsoft Authenticator app (OTP) Microsoft Authenticator Lite (OTP) Single-factor hardware/software OTP1 |
| Multi-factor OTP (something you have + something you know/are) |
Treated as single-factor OTP |
| Single-factor crypto software (something you have) |
Single-factor software certificate Microsoft Entra joined 2 with software TPM Microsoft Entra hybrid joined 2 with software TPM Compliant mobile device2 |
| Single-factor crypto hardware (something you have) |
Single-factor hardware protected certificate Microsoft Entra joined 2 with hardware TPM Microsoft Entra hybrid joined 2 with hardware TPM |
| Multi-factor crypto software (something you have + something you know/are) |
Multi-factor software certificate Windows Hello for Business with software TPM |
| Multi-factor crypto hardware (something you have + something you know/are) |
Multi-factor hardware protected certificate FIDO 2 security key Platform SSO for macOS (Secure Enclave) Windows Hello for Business with hardware TPM Passkey in Microsoft Authenticator |
1 30-second or 60-second OATH-TOTP SHA-1 token
2 For more information on device join states, see Microsoft Entra device identity
Public Switch Telephone Network (PSTN) SMS/Voice are not recommended
NIST does not recommend SMS or voice. The risks of device swap, SIM changes, number porting, and other behaviors can cause issues. If these actions are malicious, they can result in an insecure experience. Although SMS/Voice are not recommended, they are better than using only a password, because they require more effort for hackers.
Next steps
Achieve NIST AAL1 with Microsoft Entra ID