NIST authenticator types and aligned Azure Active Directory methods

The authentication process begins when a claimant asserts its control of one of more authenticators that are associated with a subscriber. The subscriber can be a person or another entity.

The National Institute of Standards and Technology (NIST) authenticator type Azure Active Directory (Azure AD) authentication methods
Memorized secret
(something you know)
Password (Cloud accounts)
Password (Federated)
Password (Password Hash Sync)
Password (Passthrough Authentication)
Lookup secret
(something you have)
None. A lookup secret is by definition data not held in a system.
Out-of-band
(something you have)
Phone (SMS) - not recommended
Single-factor one-time password
‎(something you have)
Microsoft Authenticator App (One-time password)
Single factor one-time password ‎(through OTP manufacturers)1
Multifactor one-time password
(something you have + something you know or something you are)
Multifactor one-time password ‎(through OTP manufacturers) 1
Single-factor crypto software
(something you have)
Compliant mobile device
Microsoft Authenticator App (Notification)
Hybrid Azure AD joined2 with software TPM
Azure AD joined2 with software TPM
Single-factor crypto hardware
(something you have)
Azure AD joined2 with hardware TPM
Hybrid Azure AD joined2 with hardware TPM
Multifactor crypto software
(something you have + something you know or something you are)
Microsoft Authenticator app for iOS (Passwordless)
Windows Hello for Business with software TPM
Multifactor crypto hardware
(something you have + something you know or something you are)
Microsoft Authenticator app for Android (Passwordless)
Windows Hello for Business with hardware TPM
Smartcard (Federated identity provider)
FIDO 2 security key

1 OATH-TOTP SHA-1 tokens of the 30-second or 60-second variety.

2 For more information on device join states, see Azure AD device identity documentation.

SMS text messages meet the NIST standard, but NIST doesn't recommend them. The risks of device swap, SIM changes, number porting, and other behaviors can cause problems. If these actions are taken maliciously, they can result in an insecure experience. Although SMS text messages aren't recommended, they're better than using a password alone, because they require more effort for hackers.

Next steps

NIST overview

Learn about AALs

Authentication basics

NIST authenticator types

Achieve NIST AAL1 with Azure AD

Achieve NIST AAL2 with Azure AD

Achieve NIST AAL3 with Azure AD