2.2.2. Authentication Methods
💡 First Principle: Authentication is how Microsoft 365 confirms you are who you claim to be. Stronger authentication methods require attackers to compromise multiple independent factors — something you know, something you have, or something you are — making impersonation exponentially harder.
Traditional authentication uses only a password — one factor, one point of failure. Modern authentication in M365 supports multiple methods, and the exam expects you to know the tradeoffs:
| Method | Factors Used | Phishing Resistant | User Experience |
|---|---|---|---|
| Password only | Something you know | ❌ No | Simple, but weakest |
| Password + SMS OTP | Know + Have | ❌ No (SS7 attack risk) | Common, better than password alone |
| Password + Authenticator app (TOTP) | Know + Have | ❌ No (can be real-time phished) | Good — widely used |
| Authenticator app (push) | Have + approve | ❌ (MFA fatigue attacks) | Convenient but vulnerable to fatigue |
| FIDO2 security key | Have + Biometric | ✅ Yes | Strongest; hardware required |
| Windows Hello for Business | Biometric/PIN + device | ✅ Yes | Seamless on Windows devices |
| Certificate-based authentication | Have (cert) | ✅ Yes | Enterprise-grade; complex setup |
Passwordless authentication is the direction Microsoft pushes: eliminate passwords entirely and use FIDO2 keys or Windows Hello. These methods are phishing-resistant because authentication is tied to a physical device and cryptographic keys — there's no password to steal or intercept.
⚠️ Exam Trap: SMS-based MFA is the most common but least secure MFA method. It's better than passwords alone, but SS7 vulnerabilities and SIM-swapping make it phishable. The exam may present it as a distractor next to stronger options.
Reflection Question: A company wants to implement the most phishing-resistant authentication method for their executives. They use Windows 10 devices managed by Intune. Which two methods are appropriate, and why?
