2.2.2. Authentication Methods
š” First Principle: Authentication is how Microsoft 365 confirms you are who you claim to be. Stronger authentication methods require attackers to compromise multiple independent factors ā something you know, something you have, or something you are ā making impersonation exponentially harder.
Traditional authentication uses only a password ā one factor, one point of failure. Modern authentication in M365 supports multiple methods, and the exam expects you to know the tradeoffs:
| Method | Factors Used | Phishing Resistant | User Experience |
|---|---|---|---|
| Password only | Something you know | ā No | Simple, but weakest |
| Password + SMS OTP | Know + Have | ā No (SS7 attack risk) | Common, better than password alone |
| Password + Authenticator app (TOTP) | Know + Have | ā No (can be real-time phished) | Good ā widely used |
| Authenticator app (push) | Have + approve | ā (MFA fatigue attacks) | Convenient but vulnerable to fatigue |
| FIDO2 security key | Have + Biometric | ā Yes | Strongest; hardware required |
| Windows Hello for Business | Biometric/PIN + device | ā Yes | Seamless on Windows devices |
| Certificate-based authentication | Have (cert) | ā Yes | Enterprise-grade; complex setup |
Passwordless authentication is the direction Microsoft pushes: eliminate passwords entirely and use FIDO2 keys or Windows Hello. These methods are phishing-resistant because authentication is tied to a physical device and cryptographic keys ā there's no password to steal or intercept.
ā ļø Exam Trap: SMS-based MFA is the most common but least secure MFA method. It's better than passwords alone, but SS7 vulnerabilities and SIM-swapping make it phishable. The exam may present it as a distractor next to stronger options.
Reflection Question: A company wants to implement the most phishing-resistant authentication method for their executives. They use Windows 10 devices managed by Intune. Which two methods are appropriate, and why?
