The Microsoft Authenticator app is the only method listed that supports both number matching and the display of geographical location during a sign-in attempt. These features are part of the "additional context" available for push notifications, designed to enhance security. Number matching requires the user to type a number displayed on the sign-in screen into the app, preventing accidental approvals from MFA fatigue attacks. The geographical location, derived from the sign-in IP address, helps the user identify potentially fraudulent sign-in attempts from unexpected locations.

A. SMS sends a one-time passcode via text message and lacks the functionality for number matching or displaying geographical location.

B. A Temporary Access Pass is a time-limited passcode used for onboarding or account recovery, not a primary MFA method with these features.

D. A FIDO2 security key is a hardware-based, passwordless method that does not use an app interface to display number matching or location.

1. Microsoft Entra ID Documentation. (2023). How to use additional context in Microsoft Authenticator notifications. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-additional-context. The section "Location" states

"The user’s location based on the IP address of the signing in device is displayed

" and the section "Number matching" describes the feature.

2. Microsoft Entra ID Documentation. (2023). Authentication methods in Azure Active Directory - Microsoft Authenticator app. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods#microsoft-authenticator-app. This document outlines the capabilities of the Authenticator app

including "Push notification with number matching" as a primary authentication method.