The best part is no part.
Elon Musk
2025.11.04 Update: I’ve heard from a client that Microsoft sometimes tracks PSI with #microsoft.graph.microsoftAuthenticatorAuthenticationMethod.
This may require removing all Authenticator auth methods to remove PSI. Stay tuned for how we address this…
Authenticator Passwordless Phone Sign-In allows anyone who knows a user’s UPN to MFA-bomb them into MFA fatigue or phish them with a well-crafted email.
Phishing is still the most common attack vector, and phishing-resistant authentication is the best defense. You’ve blocked device code authentication. Now it’s time to look at Authenticator Passwordless Phone Sign-In.
This method isn’t phishing-resistant and lets attackers who know (or guess) users’ UPNs trigger MFA fatigue attacks. The only reliable way to disable it once registered is programmatically. Your users should use passkeys and Windows Hello for Business instead.
This 47-second video shows how this auth method makes it even easier for attackers to compromise a user’s email account. “Passwordless” does not necessarily mean “phishing-resistant”. Phishing-resistant auth takes the human out of the loop in deciding whether an auth prompt is valid. The Passwordless Authenticator auth method still requires the user to make a judgment call on the validity of the auth prompt.
Here’s a quick PowerShell script to remove it from users who still have it enabled.
# removePSIsimple.ps1: remove Phone Sign In authentication from a user
# Connect to Microsoft Graph
$scopes = "UserAuthenticationMethod.ReadWrite.All"
try { Connect-MgGraph -Scopes $scopes -NoWelcome -ErrorAction Stop } catch { throw "Connect-MgGraph failed: $($_.Exception.Message)" }
$ctx = Get-MgContext
if (-not $ctx) { throw "No connected account context." }
if (-not $ctx.Account) { throw "No connected account context." }
if ($missing = $scopes | Where-Object { $ctx.Scopes -notcontains $_ }) {
throw "Graph connected, but missing scopes: $($missing -join ', ')"
}
Write-Host "Graph connection successful"
# user from whom we are removing the Passwordless Phone Sign In method
$uid = "00000000-0000-0000-0000-000000000000" # <-- enter your userid here
$responseGet = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$uid/authentication/methods"
foreach ($method in $responseGet.value) {
$odataType = $method.'@odata.type'
if ($odataType -eq '#microsoft.graph.passwordlessMicrosoftAuthenticatorAuthenticationMethod') {
$methodId = $method.id
$responseDelete = Invoke-MgGraphRequest -Method DELETE -Uri "https://graph.microsoft.com/v1.0/users/$uid/authentication/passwordlessMicrosoftAuthenticatorMethods/$methodId"
Write-Host "Deleted a method"
}
}