Most Entra administrators already know that security questions can't be trusted. A motivated attacker who knows an employee's name and a few personal details has everything they need to trigger and complete a password reset. That’s why Microsoft has made the call: security questions will be retired for Entra ID self-service password reset (SSPR) as of March 2027.
"Security questions are often guessable or susceptible to social engineering, increasing the risk of account takeover during SSPR. Stronger verification methods improve security and reduce reset failures and support escalations." — Microsoft
The deprecation is correct and overdue. But the next step is not as simple as it seems. What you choose as a replacement will determine your organization’s security posture for years to come.
TL;DR
- Microsoft is deprecating knowledge-based authentication (KBA) for self-service password reset (SSPR) as of March 2027.
- Swapping in a "stronger" alternative authentication method without evaluating its threat model and flexibility can actually undermine your security posture.
- Nametag’s self-service account recovery module for Microsoft Entra securely verifies the human behind the request in under 30 seconds, on any device.
The Key Question to Ask
Does this authentication method verify the person, or access to something they have?
Following the deprecation of KBA, Microsoft's remaining approved SSPR authentication methods will be:
- Microsoft Authenticator push notifications
- Hardware OATH tokens (preview)
- Software OATH tokens
- SMS
- Voice call
- Email OTP
Critically, none of these verify the actual person making the request. At most, they verify that a user has access to something (a device, a phone number, an inbox, a hardware key). At worst, these factors create a false sense of security while actually giving attackers a new path in.
Authenticator push notifications are the most secure KBA replacement in this list, but bad actors have developed numerous workarounds. An attacker can initiate the SSPR flow, call the target, impersonate IT support, and socially engineer the victim to approve the prompt.
This is not hypothetical. Microsoft's Defender Security Research Team has documented threat group Storm-2949 using this exact approach to exfiltrate data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments.
Any authentication method that verifies access to a credential or device keeps this attack surface open. The question to ask of any replacement is whether it verifies the person or something they possess.
In other words: Even after removing KBA, every available SSPR verification method either fails under the conditions that caused the lockout, or can be defeated by someone willing to make a phone call. Retiring KBA is the right call; choosing a replacement without evaluating its true security posture is how organizations end up with the exact same exposure level as before.
Entra SSPR with Nametag
At a moment as critical as a password reset, you need to know that the person initiating and completing the flow is exactly who they should be. Nametag's self-service account recovery module for Entra does exactly this.
Our identity assurance engine verifies the actual person completing Entra self-service password reset with unmatched security and an easy user experience. Patented technologies ensure the user is the rightful account owner by comparing their verified information to their Entra account details.
Afterwards, that verified identity persists across other moments and applications. A helpdesk ticket the following week, a step-up check before a privileged action, and an MFA reset six months later all check back against the same continuous verified identity.
Comparing Entra SSPR Authentication Methods
Authenticator push notification
- What it verifies: Access to a registered device
- User experience: Open the Microsoft Authenticator app and select Verify or Deny.
- Considerations: Vulnerable to social engineering: an attacker initiates SSPR, calls the employee, and tricks them into approving the prompt.
Hardware OATH token
- What it verifies: Physical possession of a registered device
- User experience: Enter a code displayed on a physical hardware device
- Considerations: Requires physical hardware, with pre-enrollment for every user.
SMS passcode
- What it verifies: Access to a registered phone number
- User experience: Enter a code sent via text message
- Considerations: Susceptible to SIM-swapping and fails when the employee no longer has access to the registered number; Microsoft officially recommends avoiding this factor.
Voice call
- What it verifies: Access to a registered mobile number
- User experience: Answer a phone call and press “#” on the keypad
- Considerations: Similar security and experience profile to SMS; Microsoft officially recommends avoiding this factor
Email OTP
- What it verifies: Access to a registered inbox
- User experience: Enter a code sent to an email address
- Considerations: Provides no proof of who is receiving and entering the code
Nametag
- What it verifies: That the person completing SSPR is not just a real human, but the right human
- User experience: Take a selfie
- Considerations: Users must have an iOS or Android device to complete verification
The Real Work is Only Beginning
March 2027 is an actionable deadline. The mistake is treating it as a compliance checkbox. Your replacement for KBA needs to be evaluated on whether it actually verifies the human behind the request. Learn more about how Nametag solves this exact problem for Entra and other IAM, HR and IT systems, or contact us for a live demo today.
