Microsoft has exposed plans to decide which authentication method to use, instead it offers prompts based on security levels.
Having already written on the downsides of using SMS and voice multi-factor authentication (MFA) methods, citing social engineering, mobile carrier efficiency, technical evolution and more, Alex Weinert, Microsoft VP of Identity Security, has now alluded to more secure approaches.
Weinert explained that users tend to choose less secure MFA methods even though they have access to better options due to convenience, technical limitations, or simply lack of awareness.
Microsoft MFA methods
With the change, users who registered more than one Authentication method you will be prompted to sign in with the most secure one. Of Microsoft Authenticator SMS and push notifications, the system will choose the latter, although users will still be able to use the non-preferred method if circumstances so require.
Some manual page has been configured to help system administrators set up system-preferred multi-factor authentication via the Azure portal and GraphAPI.
After rolling out to users on an auto-disable basis, it will now begin rolling out more widely and auto-enabled. At some point, Microsoft will remove the option to completely disable system-preferred MFA, although the timeline is not expected to be released in a few weeks.
Weinert says, “To best protect your organization and its end users, we strongly encourage you to take advantage of Deployment Control and implement this new feature as soon as possible. It’s now available in your tenant, so you can easily ensure that users always use the most secure authentication method first.”