3.4 Authentication Methods and Sign-in Assurance

What an authentication method is

An authentication method is the specific kind of proof an identity presents during sign-in. Microsoft Entra ID supports a spectrum of methods, and the SC-900 theme is that not all proofs are equally strong: a reusable secret like a password is the weakest, while cryptographic, device-bound, phishing-resistant methods are the strongest.

Authentication methods are categorized by the classic MFA factors:

Microsoft Entra ID supports passwords, Microsoft Authenticator (push/passwordless), OATH hardware/software tokens, SMS and voice call, Windows Hello for Business, FIDO2 security keys / passkeys, and certificate-based authentication (CBA). Admins control which methods are available through the Authentication methods policy in the Microsoft Entra admin center, where they can enable or disable each method and scope it to specific users or groups.

The exam's recurring theme is that the choice of method directly determines the assurance of the sign-in — a password yields low confidence that the requester is genuine, while a phishing-resistant, device-bound credential yields high confidence. 4 questions for that outcome (more sign-in assurance, less credential risk) is more reliable than memorizing every method's mechanics.

Passwordless and phishing-resistant methods

Microsoft is actively moving customers away from passwords. Passwordless authentication replaces the password with something you have plus something you are/know, so there is no reusable secret to phish, guess, or reuse. The three passwordless options SC-900 emphasizes:

• Windows Hello for Business — biometric (face/fingerprint) or PIN unlocking a key bound to the device's hardware (TPM). Local gesture; the credential never leaves the device.
• FIDO2 security keys / passkeys — external hardware keys or device-bound passkeys based on the open FIDO2 standard; phishing-resistant by design. (Microsoft introduced Entra passkeys on Windows, storing device-bound passkeys in the Windows Hello container, in 2026.)
• Microsoft Authenticator app — passwordless phone sign-in where the user approves a notification and matches a displayed number (number matching) plus a biometric/PIN on the phone.

Phishing-resistant methods — Windows Hello for Business, passkeys/FIDO2, and certificate-based authentication — are Microsoft's recommended strongest tier because credentials cannot be replayed or captured by a fake site.

Temporary Access Pass and registration

Getting users onto passwordless methods needs a secure bootstrap, because a brand-new user has no method to register their first one. A Temporary Access Pass (TAP) is a time-limited passcode issued by an admin that a user enters to sign in and then register Windows Hello, a passkey, or Authenticator — or to recover access when they have lost their other methods. A TAP can be configured as one-time or usable for a limited window.

Users manage their methods through combined security information registration (the same place they enroll MFA and self-service password reset methods — see 3.6), typically at the My Sign-Ins / Security info page.

Choosing the right method — exam cues

Read 3.4 questions for the security outcome the scenario wants:

• Eliminate the password entirely / no reusable secret → a passwordless method (Windows Hello, passkey/FIDO2, Authenticator).
• Strongest, phishing-resistant sign-in → Windows Hello for Business, FIDO2/passkeys, or CBA.
• Add a second proof on top of the password → multifactor authentication (covered fully in 3.5).
• Onboard a new user to passwordless or recover a locked-out user → Temporary Access Pass.

Common traps: SMS and voice calls are additional factors but are not considered phishing-resistant, so they are not the "strongest" answer. Windows Hello credentials are bound to the device and use biometrics/PIN — they are not a roaming password. And don't confuse the method (the proof) with authorization (what access is granted afterward). Keep authentication strength and access decisions in separate lanes.

The strength ladder you should carry into the exam

It helps to picture authentication methods as a ladder from weakest to strongest, because SC-900 frequently asks you to pick the most secure option from a list:

1. Password alone — weakest; a single reusable secret that can be phished, guessed, or reused.
2. Password + SMS/voice — better (two factors) but the second factor is not phishing-resistant.
3. Password + Authenticator push with number matching — strong, resists push-fatigue attacks.
4. Passwordless (Authenticator passwordless, Windows Hello, passkeys) — no password to steal.
5. Phishing-resistant (Windows Hello for Business, FIDO2/passkeys, certificate-based auth) — strongest; credentials can't be replayed against a fake site.

When a question lists several methods and asks for the most secure, climb to the phishing-resistant rung. When it asks merely to add a factor to an existing password, an MFA method one or two rungs up is enough. This ladder, combined with the rule that the proof step is separate from authorization, resolves the majority of 3.4 questions quickly.