Authentication: Passwords, MFA & Passwordless
How do you prove you are who you say you are? Passwords, multi-factor authentication, FIDO2 keys, Windows Hello — and why passwordless is the future.
What is authentication?
Authentication is the digital equivalent of showing your ID at the door.
When you withdraw money from a bank, the teller asks for ID. You show your driver’s licence (something you have) and maybe answer a security question (something you know). If both check out, they hand over the cash.
Online authentication works the same way. You prove your identity using one or more “factors” — a password, a phone notification, a fingerprint. The more factors you provide, the more confident the system is that you really are you.
The three factor categories
Every authentication method falls into one of three categories. The exam tests these directly:
| Factor | Category | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security questions |
| Something you have | Possession | Phone, security key, smart card |
| Something you are | Biometric | Fingerprint, face scan, iris scan |
Key exam concept: Multi-factor authentication requires at least TWO factors from DIFFERENT categories. Password + security question is NOT MFA — both are “something you know.” Password + phone approval IS MFA — “something you know” plus “something you have.”
Authentication methods in Entra ID
Microsoft Entra ID offers several authentication methods, from traditional passwords to modern passwordless options:
Passwords
The most common but least secure method. Passwords can be phished, guessed, or stolen in data breaches. Microsoft is actively encouraging organisations to move beyond passwords.
Microsoft Authenticator app
A free mobile app that supports three modes:
- Push notification — approve or deny a sign-in with one tap
- Number matching — the sign-in screen shows a number, you enter it in the app (prevents MFA fatigue attacks)
- Time-based one-time passcode (TOTP) — a 6-digit code that changes every 30 seconds
FIDO2 security keys
Physical hardware keys (like a YubiKey) that plug into USB or tap via NFC. They use public-key cryptography — no shared secrets that can be phished.
Windows Hello for Business
Uses biometrics (face or fingerprint) or a PIN tied to the specific device. The PIN never leaves the device and is backed by hardware security. It looks simple, but it’s actually strong passwordless authentication.
Certificate-based authentication
Uses digital certificates stored on smart cards or devices. Common in government and highly regulated environments.
Passkeys
The newest addition. Passkeys are a FIDO2-based credential stored on your device (phone, laptop, or security key). They’re synced across devices and resist phishing because they’re bound to the specific website.
Comparing authentication methods
| Method | Security Level | User Experience | Phishing Resistant |
|---|---|---|---|
| Password only | Low | Familiar but frustrating | No |
| Password + SMS code | Medium | Adds a step | Partially (SIM swap risk) |
| Password + Authenticator push | High | Quick tap to approve | Partially (MFA fatigue risk) |
| Authenticator with number matching | High | Requires reading and typing a number | Yes |
| FIDO2 security key | Very high | Tap or insert the key | Yes |
| Windows Hello for Business | Very high | Look at camera or touch sensor | Yes |
| Passkeys | Very high | Biometric on device | Yes |
Exam tip: know which methods are 'passwordless'
The exam may ask which methods are considered passwordless. The answer: Windows Hello for Business, FIDO2 security keys, and the Microsoft Authenticator app (when configured for passwordless sign-in). These methods don’t use passwords at all — not even as a fallback.
SMS codes are NOT passwordless — they’re typically used as a second factor alongside a password.
Multi-factor authentication (MFA)
MFA requires users to provide two or more verification factors from different categories. It’s the single most effective defence against account compromise.
The statistic to remember: Microsoft reports that MFA blocks 99.9 percent of account compromise attacks. That’s not marketing — it’s based on real data from billions of sign-in attempts.
Why MFA works
An attacker who steals your password still can’t sign in because they don’t have your phone (second factor). An attacker who steals your phone can’t sign in because they don’t know your password (first factor). They’d need to compromise BOTH at the same time.
MFA in Entra ID
There are two ways to enable MFA:
Security Defaults (free):
- Available in every Entra ID tenant at no extra cost
- Requires all users to register for MFA using the Authenticator app
- Blocks legacy authentication protocols (which can’t do MFA)
- Perfect for small organisations like BrightStar
Conditional Access (requires P1):
- Granular control over WHEN and HOW MFA is required
- Example: “Require MFA for all admin sign-ins” or “Require MFA when signing in from outside the corporate network”
- Can combine with device compliance, location, and risk signals
Scenario: Raj rolls out MFA at Lakewood University
Raj enables Security Defaults as the first step — it’s free and covers all 5,000 users immediately. Every student and staff member must register the Authenticator app within 14 days.
Professor Chen complains: “I have to approve my phone every time I log in?” Raj explains that Entra ID uses smart detection — if Chen signs in from his usual campus laptop at the usual time, MFA may not be prompted. But if someone tries to sign in from an unfamiliar country, MFA kicks in immediately.
Six months later, Raj upgrades to Conditional Access (P1) for more control:
- Students: MFA only from off-campus
- Staff: MFA always
- IT admins: MFA + compliant device required
MFA fatigue and number matching
When users get too many MFA prompts, they start approving them without thinking — this is called MFA fatigue. Attackers exploit this by flooding a user’s phone with approval requests until they tap “Approve” just to make it stop.
Number matching solves this. Instead of just tapping “Approve,” the user must type the two-digit number shown on the sign-in screen into the Authenticator app. If an attacker triggers the MFA prompt, the victim doesn’t know the number — so they can’t accidentally approve it.
Key exam concept: Number matching in the Authenticator app is now the default for MFA push notifications. It prevents MFA fatigue attacks by requiring the user to actively match a number displayed on the sign-in screen.
The path from passwords to passwordless
| Level | What It Means | Example |
|---|---|---|
| Password only | Single factor, weakest security | Typing a password to sign in |
| Password + MFA | Two factors, strong protection | Password plus Authenticator approval |
| Passwordless | No password at all, strongest and easiest | Windows Hello face scan, FIDO2 tap, passkey |
The goal is to get everyone to passwordless. It’s more secure (nothing to phish) AND more convenient (no password to remember or type).
🎬 Video walkthrough
🎬 Video coming soon
Authentication and MFA — SC-900 Domain 2
Authentication and MFA — SC-900 Domain 2
~10 minFlashcards
Knowledge Check
A Lakewood University student uses a password and then approves a notification on their phone via the Authenticator app. How many authentication factors are used, and from which categories?
Sam has a tight budget and wants to enable MFA for all 50 BrightStar staff at zero cost. What should Sam use?
Raj notices that several staff members are approving MFA prompts they didn't initiate — attackers are spamming them with notifications. Which feature should Raj enable to prevent this?