Knowledge base
February 19, 2025
MFA in Microsoft 365: Which Method Do You Choose?
Cybersecurity is more important today than ever. With the increase in cyber attacks and phishing attempts, it is crucial to ensure secure access to Microsoft 365. Multi-Factor Authentication (MFA) helps secure accounts by adding an extra layer of protection beyond the password.
But which authentication method is best for your organization? In this blog, we discuss the best MFA options in Microsoft Entra ID and how Conditional Access¹ makes your Microsoft 365 environment more secure.
✅ What Authentication Methods Are Available?
Microsoft offers several options for MFA. Not all methods are equally secure or equally convenient. Here is an overview:
1️⃣ Microsoft Authenticator App (Recommended) 📲
✔️ Security Level: High
✔️ Ease of use: Very simple
✔️ Support: iOS & Android
The Microsoft Authenticator app allows you to log in via push notification, an OTP code or biometric authentication (face or fingerprint). This is one of the most secure and user-friendly MFA options.
💡 Advisory: Highly recommended for all users! Reduces the risk of phishing attacks.
2️⃣ Passkey (FIDO2) 🛡️
✔️ Security level: Very high
✔️ Ease of use: Easy after installation
✔️ Support: Hardware token or biometrics
FIDO2 Passkeys completely replace passwords and use hardware security keys or biometric authentication. This is an excellent choice for companies pursuing a passwordless future.
💡 Advisory: Ideal for security-conscious organizations and users working with sensitive data.
3️⃣ Temporary Access Pass (TAP). 🕒
✔️ Security Level: High
✔️ Ease of use: Temporary, for specific situations
✔️ Support: For new or forgotten accounts
TAP is a temporary solution for users who have not yet set up their MFA or need to restore their access.
💡 Opinion: Useful for IT help desks and new employees, but not a permanent solution.
4️⃣ Third-Party Software OATH Tokens 🏷️
✔️ Security Level: High
✔️ Ease of use: Good, requires manual input
✔️ Support: Google Authenticator, Authy, etc.
Third-party apps generate time-based one-time passwords (TOTP) that are secure but do not support push notifications.
💡 Opinion: Great alternative to Microsoft Authenticator, but less user-friendly.
5️⃣ Email OTP 📧
✔️ Security level: Medium
✔️ Ease of use: Good, but less secure
✔️ Support: All devices with email access
Email-based OTPs are convenient, but vulnerable to phishing and man-in-the-middle attacks.
💡 Advice: Only suitable as a last resort when other MFA methods are not possible.
❌ What Methods Are Not Recommended?
🔻 SMS OTP 🔢 – Vulnerable to SIM swapping and interception.
🔻 Voice Call 📞 – Vulnerable to social engineering attacks.
🔻 Certificate-based authentication 🏛️ – Complex to manage and less flexible.
🔻 QR Code (Preview) 📌 – Not yet widely supported.
💡 Advice: Avoid these methods as a primary MFA option. Use more secure alternatives such as Microsoft Authenticator or FIDO2 Passkeys.
🎯 Which Method Is Best?
🔹 For standard users: Microsoft Authenticator 📲
🔹 For maximum security: FIDO2 Passkeys 🛡️
🔹 For temporary access: Temporary Access Pass 🕒
🔹 As backup: Software OATH Tokens 🏷️
🔹 As a last resort: Email OTP 📧
Want to take your security to the next level? Disable weak MFA methods such as SMS and Voice Call and implement a Zero Trust strategy with passwordless authentication.
🚀 Want to know more about optimizing MFA in Microsoft 365? Feel free to contact us.
References
¹https://learn.microsoft.com/entra/identity/conditional-access/overview
About the author
My name is Alta Martes, a specialist in Microsoft 365 and Google Workspace, with a focus on modern workplace management, cloud security and identity & access management. With years of experience, I help organizations optimize their IT infrastructure and create a secure, efficient digital workplace.
🎯 Need help with your Microsoft 365 strategy?
Click below and find out how we can support your organization:
Want to know more?
