Platform, Security, Workplace
Microsoft brings Entra Passkeys to Windows Hello in Public Preview
A blog website to…
Build. Secure. Automate.
Level up your app’s security: MFA via Email & SMS OTP now generally available for native authentication
10/03/2026
Level up your app’s security: MFA via Email & SMS OTP now generally available for native authentication
Great news for developers building consumer-facing mobile and desktop applications! Yesterday, on March 9th, 2026, Microsoft announced the General Availability of Email and SMS one-time passcode (OTP) as a second-factor for Native Authentication in Microsoft Entra External ID. This release gives you a powerful, straightforward way to add an essential layer of security directly into your native app’s sign-in flow, all while keeping the user experience seamless and fully branded.
What Does This Mean for Your Native Apps?
In short, you can now easily enforce multi-factor authentication (MFA) when it matters most, like during a high-risk sign-in or before a user performs a sensitive action without ever pushing them out of your application to a web browser. This is specifically about second-factor MFA. It’s the extra verification step that happens after a user successfully completes their first-factor authentication (like entering a password or an email OTP). This step-up security is managed and enforced server-side through your Conditional Access policies, taking the burden of complex security logic off your client app.
Why this is a great deal for user experience
For consumer and external-facing apps, security is non-negotiable, but neither is a smooth user experience. Forcing users to switch contexts to a browser or a different app for authentication can lead to frustration and drop-offs. With this GA release, you can:
• Keep Users In-App: The entire MFA challenge—requesting and verifying the email or SMS code—happens natively within your application’s interface.
• Maintain Your Branding: The look and feel of the authentication flow remains consistent with your app’s design.
• Apply Conditional Logic: You decide when MFA is required. Using Microsoft Entra Conditional Access, you can trigger a second-factor challenge only for specific users, in certain locations, or based on sign-in risk. This avoids adding unnecessary friction to every single login.
First Factor vs. Second Factor: A Quick Look
It’s helpful to understand the distinct stages now supported in Native Authentication:
| Authentication Stage | What’s Supported |
|---|---|
| First Factor | Email OTP; Email + Password (with Self-Service Password Reset) |
| Second Factor (NEW -GA) | Email OTP; SMS OTP |
This clear separation allows you to build a layered security model that’s both robust and flexible.
What’s Available and How to Get Started
With this feature now generally available, you can:
• Enforce MFA after first-factor authentication in native sign-in and sign-up flows.
• Choose between Email OTP or SMS OTP as the second factor.
• Rely on Conditional Access policies to control when MFA is required.
• Receive ID and access tokens only after MFA succeeds, no need to build complex client-side enforcement logic.
Ready to implement this in your application? Here’s how to begin:
• Configure Conditional Access: In your Entra External ID tenant, set up the policies that define when MFA should be triggered.
• Integrate with SDKs: Use the Native Authentication SDKs or APIs to handle the second-factor challenges directly in your app code.
This release makes strong authentication more accessible for native applications, helping you protect your users and your business with confidence.
