Microsoft has unveiled plans to take the decision on which authentication method to use out of your hands, instead offering prompts based on security levels.
Having already written about the disadvantages of using SMS and voice-based multi-factor authentication (MFA) methods, citing social engineering, mobile operator performance, technical evolution, and more, Microsoft VP Director of Identity Security, Alex Weinert, has now alluded to more secure approaches.
Weinert explained users typically opt for less secure MFA methods despite having access to better options out of convenience, technical limitations, or simply a lack of awareness.
Microsoft MFA methods
With the change, users that have registered more than one authentication method will be prompted to sign in with the most secure. Out of SMS and a Microsoft Authenticator push notification, the system will choose the latter, though users will still be able to use the non-preferred method if their circumstances require it.
An instruction page has been set up to guide system admins to set up system-preferred multi-factor authentication via the Azure Portal and via GraphAPI.
Having rolled out to come users on an automatically disabled basis already, it will now begin to roll out more widely, and automatically enabled. At some point, Microsoft will remove the option to disable system-preferred MFA altogether, though a timeline for this isn’t expected to be publicized for a few weeks.
Weinert says: “To best secure your organization and its end users, we highly encourage you to use the rollout controls and deploy this new feature as soon as you can. It’s now available in your tenant, making it easy to ensure users always use the most secure authentication method first.”