Authentication Method Comparison

Method PHR Passwordless SSPR Winlogon RDP (AD) RDP (AAD) RADIUS Mobile Web Primary Factor 2nd Factor
Password Only
FIDO2 Security Key
Microsoft Authenticator (Push)
Microsoft Authenticator (Passwordless)
Windows Hello for Business
Certificate on a Smart Card
Software TOTP Token
Hardware OATH Token
SMS
Temporary Access Pass
Voice Call
Email OTP
Security Questions

Notes

  • The table does not cover Federated MFA.
  • RDP to AD-only joined devices with FIDO2 Security Keys, Windows Hello for Business, and Temporary Access Pass only works with the Remote Credential Guard and Restricted Admin features. The Azure AD Kerberos trust is required in some scenarios.
  • Smart card support depends on the specific OS and HW combination used.
  • FIDO2 security keys do not work on Android phones yet.
  • Even though mobile phones do not directly support Windows Hello for Business, it can still be used indirectly in the Microsoft Authenticator app with the OAuth 2.0 device code authentication flow:

    Microsoft Authenticator device code authentication flow screenshot

Disclaimer

The table might have gotten outdated since it had been created. Feel free to ping me if you discover any errors in it.