Secure Registration and TAP with a password-less CA baseline

If you enforce Passwordless (authentication strength) as you've noticed you might need to add TAP as an additional method in that policy. Let's consider the scenario: existing user, new phone.

It's a bit clunky today since you will need TAP for getting the user into Security Info first (to register method), and then provide TAP yet again when you "Enable Phone-Sign in" in the new mobile. You could use the same TAP there if you set it to not require one-time use and then scope it to 1 hour for example. I have an example authenticator scenario you can compare with: https://simonhakansson.com/passwordless-authenticator-configuration-ddb0fa70d32f

Keep in mind that TAP is considered stronger than the other available MFA methods (https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-system-preferred-multifactor-authentication#how-does-system-preferred-mfa-determine-the-most-secure-method) , so it should be handled with care.

I expect the Passwordless registration-flow to become a bit more user friendly in the future, ideally you would want "Enable Phone-sign in" to be automatic in some way, at least for MDM-enrolled phones in my opinion.