Implementing Self-Service Password Reset (SSPR) and Multi-Factor Authentication (MFA) in Azure AD

Authentication Methods for MFA and SSPR

Question

You are implementing authentication for applications in your company. You plan to implement self-service password reset (SSPR) and multifactor authentication

(MFA) in Azure Active Directory (Azure AD).

You need to select authentication mechanisms that can be used for both MFA and SSPR.

Which two authentication methods should you use? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AB

The following authentication mechanisms can be used for both MFA and SSPR:

-> Short Message Service (SMS) messages

-> Azure AD passwords

-> Microsoft Authenticator app

-> Voice call

Incorrect Answers:

C, D:

The following authentication mechanisms are used for SSPR only:

-> Email addresses

-> Security questions

E: App passwords authentication mechanisms can be used for MFA only, but only in certain cases.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods

When implementing self-service password reset (SSPR) and multifactor authentication (MFA) in Azure Active Directory (Azure AD), you need to choose authentication mechanisms that are compatible with both.

The following authentication methods can be used for both MFA and SSPR:

A. Short Message Service (SMS) messages: This method involves sending a verification code to the user's mobile phone number via SMS. The user then enters this code to verify their identity. SMS can be used for both MFA and SSPR, as it is a convenient and widely used authentication method. However, it is important to note that SMS can be vulnerable to interception or SIM swap attacks.

B. Authentication app: An authentication app, such as Microsoft Authenticator, Google Authenticator, or Authy, generates a time-based one-time password (TOTP) that the user must enter to verify their identity. This method is widely used and can be used for both MFA and SSPR. Authentication apps provide an additional layer of security, as they are not vulnerable to interception or SIM swap attacks.

The following authentication methods cannot be used for both MFA and SSPR:

C. Email addresses: This method involves sending a verification code to the user's email address. The user then enters this code to verify their identity. While this method can be used for SSPR, it is not recommended for MFA, as it is vulnerable to phishing attacks.

D. Security questions: This method involves asking the user to answer a set of predefined security questions to verify their identity. While this method can be used for SSPR, it is not recommended for MFA, as it is vulnerable to social engineering attacks.

E. App passwords: App passwords are used to authenticate legacy applications that do not support modern authentication protocols. They are not recommended for MFA or SSPR, as they are not a secure authentication method.

In summary, when implementing SSPR and MFA in Azure AD, it is recommended to use SMS messages and authentication apps as authentication mechanisms that can be used for both.