Anyone getting access to your phone could potentially get your primary and secondary authentication details.
You might have spotted a problem here if you are using the app on the same phone number as one of those other verification methods. However, if the user enables two-step verification on the account, which is still possible and still recommended, then 'they will need to provide codes sent to two different verification options.'
'If a user loses access to the Microsoft Authenticator app for whatever reason,' a Microsoft spokesperson told me, 'they can still recover their account if they have access to their other verification options, such as an email or phone number.' As standard, this would simply be one code, and you are back in.
