MFA cloud-only solution should support an additional PIN option.
In order to compete with equivalent solutions available today, it would be great to have the ability to enforce a PIN as a prefix or suffix to a verification code, or even as per the current on-premise MFA offering. This allows systems an additional "what you know" option, where primary authentication is weak or only deals with identification and not authentication.
Agreed. Cloud MFA needs ability to enable pins, especially for the authenticator app selection.
I'd recommend implementing this so as to challenge the user for the PIN or Biometric used for the smartphone. Have the phone tell the app if the challenge was correctly answered or not. Do that for passcodes and Push Notifications. Also, tell the user what is prompting for the MFA challenge. If disapproving, give option to flag as fraudulent or accidental.
Sung Woo Park commented
We really need this feature and functionality to meet the customer various requirements in field.
Currently the on-premises Azure MFA (on ADFS) pinmode does exactly what we need.
I would be great if this functionality becomes available in azuread cloud-only.
Matt Sauer commented
We also would like OTA plus Pin for the azure MFA cloud only. We love the approve/deny option in the authenticator application, but we cannot use it as a user is allowed to acknowledge this underneath the lock screen without unlocking their phone. If we could have a pin plus approval then this would be acceptable.