Unit 5: Configure Multifactor Authentication Methods
Registration Process
When users sign into an application that requires MFA for the first time, they must register a verification method. This registration flow ensures the user selects a method they can access consistently. For every sign-in that requires MFA, users must complete verification using their registered method.
Authentication Methods and Service Support
Authentication Methods and Service Support
Why Some Methods Are SSPR‑Only: These methods are not strong enough or not secure enough to be used as MFA during sign-in. They are only meant to help a user recover their password — not to secure access to resources.
| Authentication Method |
MFA |
SSPR |
Reason |
| Password |
✔️ |
✔️ |
Primary credential used in both flows. |
| Security Questions |
❌ |
✔️ |
Weak, knowledge‑based; not secure enough for MFA. |
| Email Address |
❌ |
✔️ |
Email can be compromised; not a strong second factor. |
| Windows Hello for Business |
✔️ |
✔️ |
TPM‑backed keys and biometrics; strong authentication. |
| FIDO2 Security Key |
✔️ |
✔️ |
Phishing‑resistant hardware key. |
| Microsoft Authenticator App |
✔️ |
✔️ |
Strong possession factor; supports push and OTP. |
| OATH Hardware Token |
✔️ |
✔️ |
TOTP codes; secure one‑time passwords. |
| OATH Software Token |
✔️ |
✔️ |
App‑based TOTP; strong enough for MFA. |
| Text Message (SMS) |
✔️ |
✔️ |
Accepted possession factor; widely supported. |
| Voice Call |
✔️ |
✔️ |
Phone‑based verification; similar to SMS. |
| App Passwords |
✔️ (limited) |
❌ |
Legacy workaround for non‑modern auth apps. |
Method Details
Security Questions
- Available only for non-admin accounts using SSPR.
- Stored securely in Microsoft Entra ID.
- Administrators cannot view or change answers.
- Up to 35 predefined questions, or custom questions up to 200 characters.
Windows Hello for Business
- Uses biometrics or a PIN tied to a specific device.
- Provides a passwordless sign-in experience.
FIDO2 Security Keys
- Hardware devices that use open standards for secure authentication.
- Support USB, NFC or Bluetooth.
- Provide single sign-on to supported Windows and cloud resources.
Microsoft Authenticator App
- Supports push notifications and OATH verification codes.
- Works on iOS and Android.
- Can block unauthorized sign-ins by requiring approval.
OATH Tokens
- Used to generate one-time passwords.
- Supported in both hardware and software form.
OATH Hardware Tokens
- Use OATH-TOTP (SHA-1).
- Support 30-second or 60-second one-time codes.
- Users can purchase tokens from any compatible vendor.
- Secret keys must be 128 characters or fewer.
- Some tokens may not be compatible if keys exceed this limit.
OATH Software Tokens
- Usually authenticator apps like Microsoft Authenticator or third-party OATH apps.
- Secret key (seed) is generated by Microsoft Entra ID.
- Seed is entered into the app to generate the OTP.
OATH Software and Hardware Tokens (Secret Key Explained)
- An OATH token (software or hardware) relies on a shared secret key, also called a seed.
- The secret key is a static Base32-encoded value (up to 128 characters) created during token provisioning.
- Microsoft Entra ID securely stores the secret key so it can validate OTPs for the user.
- The user normally never types or sees the secret key during everyday authentication.
How the Secret Key Gets Into the Token and Microsoft Entra ID
- Software tokens (authenticator apps): Microsoft Entra ID generates the secret key and transfers it to the app during setup, typically via a QR code.
- Hardware tokens: The token vendor pre-programs the secret key into each physical token.
- The vendor also provides the organization a list of token identifiers (serial numbers) and their matching secret keys, most commonly as a CSV file (sometimes a text file).
- An administrator uploads this CSV file to Microsoft Entra ID so Entra ID can store the same secret keys and later associate tokens to users.
Step-by-step (What Really Happens for OATH Hardware Tokens)
-
Token vendor provides the secret keys
When an organization buys OATH hardware tokens, the vendor supplies:
- Each token’s secret key (seed).
- A serial number or token identifier.
This information is usually delivered in a CSV file (most common) or a text file.
Example (Conceptual Token Inventory)
| Serial Number |
Secret Key (Base32) |
| TCUBE001 |
JBSWY3DPEHPK3PXP |
| TCUBE002 |
NB2W45DFOIZA==== |
-
Admin uploads the file to Microsoft Entra ID.
- An administrator uploads the vendor CSV/text file into Microsoft Entra ID.
- Entra securely stores the secret keys and keeps them linked to the token identifiers.
-
User is assigned a token.
- After upload, an admin assigns a specific physical OATH hardware token (identified by its serial number) to a user account.
- The user receives the physical device (The same physical hardware (key fob–style device) with a screen, Showing a 6-digit code that changes every 30 or 60 seconds) and uses that 6-digit codes it displays, to sign in.
- From this point onward:
- The hardware token contains the secret key (from the vendor).
- Microsoft Entra ID also has the same secret key (from the uploaded CSV).
-
Authentication happens (no cloud lookup from the token).
- The hardware generates OTPs locally using its secret key and the current time.
- Microsoft Entra ID generates the expected OTP using the stored secret key and the same time window, and validates the sign-in.
- The secret key is never transmitted during sign-in.
Upload Location in Microsoft Entra ID (SC-300 Useful)
- Microsoft Entra admin center
- Protection → Authentication methods → OATH tokens → Upload
How the 6-digit One-Time Password (OTP) Is Generated
- The OTP is generated locally on the token using the OATH-TOTP standard.
- The calculation conceptually uses these inputs:
-
6-digit OTP = Secret Key + Current Time + Algorithm (TOTP with SHA-1)
- The time component is a moving window, typically 30 seconds (or 60 seconds for some tokens).
- Microsoft Entra ID performs the same calculation using the stored secret key to validate the OTP.
Example Values (Conceptual)
- Secret key (Base32):
JBSWY3DPEHPK3PXP
- Time window:
2025-12-25 10:30:00 – 10:30:30
- Algorithm:
OATH-TOTP (SHA-1)
- Generated OTP (example):
482913
Software vs Hardware Token Comparison (Avoid Confusion)
| Token type |
How the secret key reaches Microsoft Entra ID |
| Software token |
Entra ID generates the key and transfers it to the authenticator app (commonly via QR code). |
| Hardware token |
Admin uploads vendor-provided keys (commonly via CSV) and then assigns a token to a user. |
Key difference: OATH hardware tokens generate OTP codes using shared secrets, while FIDO2 security keys use asymmetric cryptography and are phishing-resistant.
| Feature |
OATH Hardware Token |
FIDO2 Security Key |
| Authentication standard |
OATH-TOTP |
FIDO2 / WebAuthn |
| Authentication method |
Time-based one-time password (OTP) |
Public-key cryptography (challenge-response) |
| Shared secret |
Yes (same secret stored on token and Entra ID) |
No (private key never leaves the device) |
| User interaction |
User reads and types a 6-digit code |
User touches the security key |
| OTP codes |
Yes (6-digit, changes every 30/60 seconds) |
No |
| Phishing resistance |
No |
Yes |
| Secret transmitted during sign-in |
No |
No |
| Works without network connectivity |
Yes (token generates OTP offline) |
No (requires supported browser/device) |
| Typical device |
Key-fob or card with display |
USB / NFC / Bluetooth security key |
| Microsoft recommendation |
Supported for legacy and constrained scenarios |
Recommended for passwordless and phishing-resistant sign-in |
OATH hardware token
Secret key + Time → 6-digit OTP
User types OTP → Microsoft Entra ID validates
FIDO2 security key
Service sends challenge → Key signs with private key
Public key verifies → User authenticated
Why Microsoft prefers FIDO2
- No shared secrets stored or transmitted.
- Authentication cannot be replayed.
- Phishing-resistant by design.
- Resistant to MFA fatigue attacks.
Why OATH tokens are still supported
- Required for legacy environments.
- Useful in air-gapped or offline scenarios.
- Suitable for users without modern devices.
Text Message and Voice Call
- Provide a temporary code or call for verification.
- Voice call is unavailable for free or trial tenants.
App Passwords
- Used only for apps that cannot perform modern authentication.
- Provide a workaround to allow MFA-enabled users to sign in.
Monitoring MFA and SSPR Adoption
Microsoft Entra ID provides monitoring through Usage and Insights. Administrators can track:
- MFA registration rates.
- Methods users select.
- Registration successes and failures.
- Adoption trends over the last 30 days.
This information helps identify training needs or problematic authentication methods.