Native authentication challenge types
Applies to: 
Workforce tenants 
External tenants (learn more)
Native authentication supports two authentication methods:
- Email with one-time passcode (OTP).
- Email and password with support for self-service password reset (SSPR).
A customer app that uses native authentication to sign in users can use either of the authentication methods. To make successful calls to Microsoft Entra, the app needs to indicate the authentication methods it supports. Microsoft Entra enables the customer app to advertise the authentication methods it supports by using challenge types.
Challenge types are predefined values, which the customer app includes in its request to notify Microsoft Entra about the authentication method the app supports.
Challenge types
The following table contains the supported challenge type values:
| Challenge type | Description |
|---|---|
| password | This challenge type indicates that the app supports the collection of a password credential from the user. |
| oob | This challenge type indicates that the application supports the use of one-time password or passcode (OTP) codes sent to the user using a secondary channel. Currently, the API supports only email OTP. |
| redirect | This challenge type indicates that the application supports a fallback to the browser-delegated authentication, also known as web fallback. All native authentication compliant apps must support this authentication method. This requirement means that in every call the app makes to Microsoft Entra, it must include this challenge type. If the client app fails to include this challenge type, the request fails. |
We add new values in the future when native authentication support new authentication methods.
Challenge types usage
The following table summarizes the challenge type values an app should use for the various authentication flows:
| Sign-up flow | Sign-in flow | SSPR | |
|---|---|---|---|
| Email with password | oob, password, and redirect | oob, password, and redirect | oob and redirect |
| Email OTP | oob and redirect | oob and redirect | Not applicable |
- Apps that use native authentication API must include the redirect challenge type in the list when they indicate the challenge type that they support.
- Apps that use Android and iOS SDKs don't need to include the redirect challenge type as the SDK automatically includes it.
The following table summarizes what happens if either Microsoft Entra or the client app doesn't support a given challenge type:
| Scenario | What happens |
|---|---|
| A client app includes unsupported challenge type | Microsoft Entra returns an error as it treats this request as invalid. |
| A client app fails to include a supported challenge type | It indicates that the client app doesn't support a challenge type that the administrator configures in the Microsoft Entra admin center. In this case, Microsoft Entra notifies the client app to use web fallback. |