Challenges with New MFA and SSPR Policies: Need Guidance

Kidd_Ip​ I am currently transitioning our SSPR process from a Helpdesk Call Knowledge-based process (with its major flaw of a weak knowledge based factor) to Entra SSPR.

Like brentmattson​ I am wondering why state of the art secure authentication methods are not allowed for SSPR according to https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods

Since the usage of Text/SMS and voice calls is highly discouraged (you even mention this in the documentation), the documentation leaves us with only 3 options:

MS Authenticator Push and OATH TOTP (Software or Hardware) which might be sufficient for Standard Accounts, but we want to offer Administrator accounts SSPR.

You also mention email and security questions, but email is not usable when you locked yourself out and security questions are highly discouraged as well.

It would be ideal if you would allow a 2nd Passkey/FIDO2 Hardware Token as a means of recovery.

E.g. Administrators should have 2 Hardware Tokens: the 1st as a primary AuthN factor and the 2nd purely for recovery.

This is currently not possible because Entra ID does not allow Passkeys for SSPR.

Do you have planned updates to SSPR AuthN methods on your roadmap?

With the state being, we can't allow SSPR but instead look at https://learn.microsoft.com/en-us/entra/verified-id/helpdesk-with-verified-id

The Verified ID would also serve greatly as a SSPR Recovery AuthN Method.