Which authentication method in Microsoft Entra ID is vulnerable to SIM-swapping?

Correct: c. SMS OTP is delivered to a phone number that can be hijacked via SIM-swapping. FIDO2, WHfB, and CBA are device-bound and cryptographic — no phone number or shared secret is involved.

Number matching in Microsoft Authenticator makes which attack significantly harder?

Correct: a. MFA fatigue (push bombing) sends repeated approval requests hoping the user taps Approve. Number matching requires typing the code shown on the real sign-in screen — an attacker pushing blindly cannot know the number, so the approval is blocked.

You must protect Global Administrator accounts against AiTM phishing. Which Conditional Access grant control should you apply?

Correct: a. The Phishing-resistant MFA Authentication Strength restricts sign-in to FIDO2, WHfB, and CBA — the only methods that block AiTM attacks by binding the signed challenge to the legitimate origin. 'Require MFA (any method)' allows SMS which is not phishing-resistant.

What property of FIDO2 makes an adversary-in-the-middle attack fail even if the attacker relays the entire authentication exchange?

Correct: d. The FIDO2 challenge includes the relying party ID (origin). The device signs a response for the fake site's origin. Entra ID expects a signature for login.microsoft.com and rejects the mismatched response — the attacker cannot reuse or forward the valid signature.

A government department uses PIV smart cards for physical access. Which Entra ID method best reuses that existing infrastructure?

Correct: d. CBA in Entra ID supports X.509 certificates on smart cards including PIV/CAC cards already issued by the government PKI. The department reuses the existing certificates and card readers without distributing new hardware, satisfying phishing-resistant MFA at the same time.

What is the recommended deployment path for an organisation moving from SMS MFA to phishing-resistant auth?

Correct: c. The pragmatic path is: Authenticator + number matching for broad coverage (stopping MFA fatigue), then FIDO2 or WHfB for admins and sensitive apps where AiTM resistance is critical. Forcing full phishing-resistant rollout on all users simultaneously without device readiness causes friction and lockouts.

Microsoft Entra ID MFA & Passwordless Authentication (2026)

Q: Which of the following Microsoft Entra ID authentication methods is classified as phishing-resistant?

Correct: c. FIDO2 security keys (and passkeys) are phishing-resistant because the private key never leaves the device and the signed challenge is bound to the relying party origin. SMS, voice, and OATH tokens can all be intercepted or relayed by an attacker.

Q: Why does number matching stop MFA fatigue (push bombing) attacks?

Correct: b. Number matching requires the user to type the number displayed on the real sign-in screen into the Authenticator app. An attacker sending push notifications blindly has no way to know that number, so approval is impossible without the victim's direct involvement.

Q: A high-privilege admin account must be protected against adversary-in-the-middle (AiTM) phishing. Which method achieves this?

Correct: d. A FIDO2 security key is phishing-resistant because its signed challenge is bound to the legitimate relying party origin. An AiTM proxy that intercepts and relays the authentication gets a signature bound to the wrong origin, which Entra ID rejects.

Q: A Conditional Access policy must enforce phishing-resistant MFA for admin roles. Which Authentication Strength should be selected?

Correct: a. The built-in 'Phishing-resistant MFA' Authentication Strength restricts sign-in to FIDO2, WHfB, and CBA only — the methods that block AiTM attacks. 'Multi-factor authentication' allows SMS which is not phishing-resistant. 'Passwordless MFA' includes Authenticator passwordless which is still not AiTM-proof.

Most engineers think…

Most people assume 'we have MFA turned on, so we are safe'. That mental model fails badly when the MFA method can be bypassed.

Microsoft Entra ID offers a spectrum of authentication methods, and each sits at a different threat level. SMS OTP is MFA but can be intercepted or SIM-swapped. Push notifications without number matching are vulnerable to MFA fatigue (attacker hammers push until the user taps Approve). Only device-bound methods — FIDO2 passkeys, Windows Hello for Business, and certificate-based authentication — are truly phishing-resistant, because the private key never leaves the device and there is no shared secret to steal. Understanding that spectrum is what separates a junior admin's answer from a security architect's.

① MFA methods in Microsoft Entra ID — from SMS to passkeys

Microsoft Entra ID supports a wide range of MFA methods, configured through the Authentication Methods policy. At the lower end sit SMS OTP and voice call — better than nothing, but vulnerable to SIM-swapping and SS7 interception. The Microsoft Authenticator app supports time-based OTP (TOTP), push approval, and (most securely) passwordless phone sign-in. Hardware TOTP tokens (like OATH tokens) fill gaps for users who cannot use a smartphone.

Moving up the security ladder: FIDO2 security keys (hardware passkeys from Yubico, Feitian and others), Windows Hello for Business (WHfB) (biometric or PIN bound to the device TPM), and certificate-based authentication (CBA) using X.509 certificates on a smart card or device. These three are the only methods Microsoft classes as phishing-resistant. Each method is toggled per-tenant in the Authentication Methods policy or the legacy MFA per-user settings — Microsoft recommends the unified policy.

Figure 1 — Entra ID authentication strength ladder

Methods are ranked by phishing resistance — only device-bound credentials sit at the top.

Quick check · Q1 of 10 · Remember

Which of the following Microsoft Entra ID authentication methods is classified as phishing-resistant?

a) SMS one-time passcodeb) Voice call OTPc) FIDO2 security keyd) OATH hardware token

Correct: c. FIDO2 security keys (and passkeys) are phishing-resistant because the private key never leaves the device and the signed challenge is bound to the relying party origin. SMS, voice, and OATH tokens can all be intercepted or relayed by an attacker.

👉 So far: Entra ID authentication methods rank from legacy (SMS/voice) through strong MFA (Authenticator push + number matching) to phishing-resistant (FIDO2, WHfB, CBA). Only the top tier stops AiTM attacks.

② Number matching — stopping MFA fatigue cold

MFA fatigue (also called push bombing) is simple: an attacker with stolen credentials sends repeated Authenticator push notifications at 2 am until the drowsy user taps Approve. The fix Microsoft shipped is number matching: the sign-in screen shows a 2-digit number, and the Authenticator notification asks the user to type that same number before Approve is tappable. An attacker pushing blind cannot know the number — the approval is blocked.

Number matching is now enforced by default across Microsoft Entra tenants — administrators cannot turn it off. Alongside number matching, additional context shows the app name and approximate sign-in location inside the notification, giving users a second signal that something is wrong if they did not initiate the sign-in. The combination makes Authenticator push significantly harder to abuse without moving all the way to a device-bound passkey.

Interview point: number matching stops MFA fatigue but does not stop phishing — an adversary-in-the-middle (AiTM) proxy can relay both the number and the token in real time. That is why phishing-resistant methods are the next step for high-privilege accounts.

Figure 2 — Number matching blocks MFA fatigue

The 2-digit number on the sign-in screen must be typed in Authenticator — a blind push cannot succeed.

📱

Number matching

tap to flip

Displays a 2-digit number on the sign-in screen that the user must type in the Authenticator app. An attacker pushing blind cannot pass — stops MFA fatigue attacks.

🔑

FIDO2 passkey

tap to flip

A public-key credential where the private key is stored on the device (hardware key or TPM). Signs a challenge bound to the site origin — a fake site gets a useless signature.

💻

Windows Hello for Business

tap to flip

Biometric or PIN unlocks a TPM-protected private key. Device must be Entra joined; Cloud Kerberos Trust is the recommended trust model — no on-prem PKI needed.

🪪

Certificate-based auth (CBA)

tap to flip

X.509 certificate on a smart card or device, validated against a trusted CA configured in the Entra tenant. The go-to for PIV/CAC regulated environments.

Number matching is now always on

Microsoft enforced number matching for all Authenticator push notifications and it cannot be disabled from the modern policy. If a tenant still shows push without number matching, a legacy per-user MFA setting is overriding the modern Authentication Methods policy — consolidate to the unified policy in Entra ID to restore default enforcement.

Quick check · Q2 of 10 · Understand

Why does number matching stop MFA fatigue (push bombing) attacks?

a) It limits push notifications to three per hourb) The attacker must know the 2-digit number shown on the legitimate sign-in screen, which they cannot seec) It requires the user to use a hardware keyd) It blocks all push notifications from unrecognised devices

Correct: b. Number matching requires the user to type the number displayed on the real sign-in screen into the Authenticator app. An attacker sending push notifications blindly has no way to know that number, so approval is impossible without the victim's direct involvement.

👉 So far: Number matching requires the user to type the 2-digit code from the real sign-in screen into Authenticator — a blind push attack cannot supply the number and is blocked. Enforced by default in all Entra tenants.

③ FIDO2 passkeys & Windows Hello for Business — device-bound authentication

FIDO2 passkeys (either roaming hardware keys or device-bound passkeys stored in the Windows Hello container or a platform authenticator) work on a public-key cryptography model: at registration, the device generates a key pair and stores the private key locally. At sign-in, the device signs a challenge from Entra ID with the private key — the secret never travels over the network. An AiTM proxy that intercepts the challenge cannot replay it elsewhere because the signature is bound to the relying party origin. This is what makes it phishing-resistant.

Windows Hello for Business (WHfB) follows the same model but stores the private key in the device TPM. Sign-in uses biometrics (face or fingerprint) or a local PIN to unlock the TPM-protected key. WHfB requires devices to be Entra joined (or hybrid joined) and a trust model configured — Cloud Kerberos Trust is the recommended modern option, removing the need for on-premises PKI for most deployments. As of 2026, passkeys stored in the Windows Hello container can be used on Entra-joined devices even without full WHfB provisioning.

Figure 3 — FIDO2 / passkey sign-in flow

The challenge is signed locally — the private key never leaves the device and cannot be replayed on a fake site.

'We have MFA so we are phishing-proof' is wrong

Number matching stops MFA fatigue but AiTM proxies can still relay the session token in real time after the user approves the (correct) number. Only FIDO2 passkeys, Windows Hello for Business, and CBA are resistant to AiTM phishing because the signed challenge is bound to the legitimate origin domain — a fake site cannot reuse it.

▶ Watch a FIDO2 sign-in — and watch an AiTM attack fail

How a hardware passkey authenticates end-to-end. Press Play for the healthy path, then Break it to see an AiTM relay attempt blocked.

① User visits loginPriya navigates to login.microsoft.com and enters her username. Entra ID sends a FIDO2 challenge bound to the login.microsoft.com origin.

▼

② Key touchedPriya taps her FIDO2 hardware key. The device TPM signs the challenge with her private key — the key never leaves the hardware.

▼

③ Signed responseOnly the signed challenge travels to Entra ID. No password, no shared secret, no OTP code on the wire.

▼

④ Token issuedEntra ID verifies the signature against Priya's registered public key and issues an access token. Sign-in complete.

Press Play to step through the healthy FIDO2 sign-in. Then press Break it.

Quick check · Q3 of 10 · Apply

A high-privilege admin account must be protected against adversary-in-the-middle (AiTM) phishing. Which method achieves this?

a) Email OTPb) SMS OTPc) Microsoft Authenticator push without number matchingd) FIDO2 hardware security key

Correct: d. A FIDO2 security key is phishing-resistant because its signed challenge is bound to the legitimate relying party origin. An AiTM proxy that intercepts and relays the authentication gets a signature bound to the wrong origin, which Entra ID rejects.

👉 So far: FIDO2 passkeys and WHfB are device-bound: the private key never leaves the TPM, and the signed challenge is bound to the relying party origin — a fake phishing site cannot reuse the signature.

④ Certificate-based auth & choosing the right method

Certificate-based authentication (CBA) lets users authenticate with an X.509 certificate on a smart card or device, without a password. Entra ID validates the certificate against a trusted Certificate Authority (CA) configured in the tenant. CBA satisfies phishing-resistant MFA requirements and is the go-to for regulated environments (government, defence, healthcare) that already operate a PKI or require PIV/CAC smart cards. The main cost is certificate lifecycle management — issuance, renewal, and revocation add operational overhead.

Authentication strengths — the Conditional Access enforcement layer

Microsoft surfaces method selection through Authentication Strengths, a Conditional Access grant control that lets you require a specific tier (e.g. Phishing-resistant MFA) for a given app or role. The built-in strengths are: Multi-factor authentication (any second factor), Passwordless MFA (Authenticator passwordless, WHfB, FIDO2), and Phishing-resistant MFA (WHfB, FIDO2, CBA only). For most tenants, the recommended path is: roll out Authenticator with number matching for all users, then layer phishing-resistant methods for admins and sensitive apps first.

Figure 4 — Phishing-resistant method comparison

FIDO2, WHfB, and CBA all achieve phishing-resistant MFA but differ in device needs and PKI requirements.

Priya, IAM lead at a Pune-based fintech, faces this

Three finance-team accounts are compromised despite MFA being enabled. The attacker used an AiTM phishing kit to relay push approvals in real time.

Likely cause

The tenant used Authenticator push without enforced number matching (a legacy per-user MFA override had blocked the modern policy), leaving the push vulnerable to relay.

Diagnosis

Check the sign-in logs in Entra ID — the approvals show the IP of the AiTM proxy, not the user's usual location. The Authentication Method column shows 'Mobile App Notification' without number matching.

Entra ID ▸ Security ▸ Authentication Methods ▸ Microsoft Authenticator ▸ Number matching

Fix

Remove the legacy per-user MFA override so the modern Authentication Methods policy takes effect (number matching now enforced). For finance roles, create a Conditional Access policy requiring the Phishing-resistant MFA Authentication Strength (FIDO2 or WHfB). Distribute FIDO2 security keys to the finance team.

Verify

Re-test: an AiTM proxy cannot obtain the 2-digit number from the sign-in screen, so push bombing fails. Finance logins require a hardware key or WHfB gesture — sign-in logs confirm phishing-resistant method used for all finance role accounts.

Check Authentication Strengths, not just MFA state

Never close an access review just because MFA is 'enabled'. In the Entra sign-in logs, check the Authentication Method column to confirm which method was actually used. A Conditional Access policy requiring 'Phishing-resistant MFA' will surface in the Authentication Details — confirm the grant control is active and the right strength is being enforced for admin roles.

Quick check · Q4 of 10 · Analyze

A Conditional Access policy must enforce phishing-resistant MFA for admin roles. Which Authentication Strength should be selected?

a) Phishing-resistant MFAb) Passwordless MFAc) Multi-factor authentication (any second factor)d) Password-only

Correct: a. The built-in 'Phishing-resistant MFA' Authentication Strength restricts sign-in to FIDO2, WHfB, and CBA only — the methods that block AiTM attacks. 'Multi-factor authentication' allows SMS which is not phishing-resistant. 'Passwordless MFA' includes Authenticator passwordless which is still not AiTM-proof.

👉 So far: CBA uses X.509 certificates validated against a tenant-configured CA — best for regulated environments with existing PKI. Enforce method tiers via Conditional Access Authentication Strengths.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why is SMS OTP considered weak MFA compared to a FIDO2 key? Then compare with the expert version.

Expert version: SMS OTP is a shared secret delivered over a channel (the phone number) that can be hijacked via SIM-swap or intercepted at the SS7 protocol level. It can also be relayed in real time by an AiTM phishing proxy — the proxy reads the SMS code and types it into the real site before it expires. A FIDO2 key generates a cryptographic signature using a private key that never leaves the device, and that signature is bound to the exact domain origin — a phishing proxy gets a signature for the wrong origin, which Entra ID will reject. The FIDO2 key has no secret to steal and no code to relay.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Entra ID at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

MFA (Multi-Factor Authentication): Requiring two or more distinct verification factors: something you know, something you have, or something you are.
Passwordless authentication: Sign-in without a password using a stronger factor such as FIDO2, Windows Hello biometric, or Authenticator phone sign-in.
FIDO2 / passkey: A public-key credential where the private key never leaves the device; the signed challenge is bound to the relying party origin, making it phishing-resistant.
Windows Hello for Business (WHfB): TPM-backed biometric or PIN authentication on Entra-joined Windows devices, following the same public-key model as FIDO2.
Certificate-based authentication (CBA): Sign-in with an X.509 certificate on a smart card or device, validated against a CA configured in the Entra tenant — phishing-resistant and PIV/CAC-compatible.
Number matching: An Authenticator feature that requires the user to type a 2-digit code shown on the real sign-in screen, blocking MFA fatigue (push bombing) attacks.
MFA fatigue / push bombing: An attack where the adversary sends repeated push approval requests hoping the user taps Approve by mistake or exhaustion.
Authentication Strength: A Conditional Access grant control in Entra ID that requires a minimum authentication method tier — e.g. Phishing-resistant MFA for admin roles.
AiTM (Adversary-in-the-Middle): A phishing technique that proxies authentication in real time, relaying credentials and session tokens — stopped only by origin-bound methods like FIDO2.
Cloud Kerberos Trust: The recommended WHfB trust model that removes the need for on-premises PKI by using Entra ID Kerberos to issue ticket-granting tickets.

📚 Sources

Microsoft Learn — Authentication methods overview in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
Microsoft Learn — Passkeys (FIDO2) authentication method in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passkeys-fido2
Microsoft Learn — Plan a phishing-resistant passwordless authentication deployment in Microsoft Entra ID. learn.microsoft.com/en-us/entra/identity/authentication/how-to-deploy-phishing-resistant-passwordless-authentication
Microsoft Learn — Overview of Conditional Access Authentication Strengths. learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-strengths
Microsoft Learn — Plan for mandatory Microsoft Entra multifactor authentication (MFA). learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication
Microsoft Tech Community — What's New in Microsoft Entra: June 2026. techcommunity.microsoft.com/blog/microsoft-entra-blog/whats-new-in-microsoft-entra-june-2026/4517885

What's next?

Got MFA and passwordless sorted? Next, go deep on Conditional Access — how to write policies that enforce the right authentication strength for the right app and risk level, and how authentication strengths tie to Conditional Access grant controls.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Entra ID MFA & Passwordless — FIDO2, Authenticator & Phishing-Resistant Auth

🎯 By the end you will be able to

Pick where you want to start

MFA methods

Number matching

FIDO2 & WHfB

CBA & choosing

① MFA methods in Microsoft Entra ID — from SMS to passkeys

② Number matching — stopping MFA fatigue cold

③ FIDO2 passkeys & Windows Hello for Business — device-bound authentication

▶ Watch a FIDO2 sign-in — and watch an AiTM attack fail

④ Certificate-based auth & choosing the right method

Authentication strengths — the Conditional Access enforcement layer

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?