The authentication methods SMS, Voice Call, and Email One-Time Passcode (OTP) SHALL be disabled.

Why This Matters

SMS, voice call, and email one-time passcode (OTP) authentication methods are more susceptible to interception, phishing, and social engineering attacks than modern passwordless methods. Disabling these weak verification channels reduces your organization’s attack surface and moves users toward more secure authentication, such as Microsoft Authenticator or FIDO2 security keys. CISA specifically recommends this action to lower risks associated with MFA bypass and credential theft.

What Aether365 Checks

This check verifies that SMS, voice call, and email OTP are disabled as authentication methods in your Microsoft Entra ID tenant. It appears on your Aether365 dashboard under the entra-id checks section.