The days when you could rely on a simple password to protect the security of your data are long gone. Cyber threats are becoming more complex and you need to make sure that your business, your data and your workers are protected, not only with the best security you can source, but also the most appropriate.
You may well have heard of multi-factor authentication, or MFA. For those who are unfamiliar with matters digital, it might sound like just the thing to protect your systems, but there are many different MFA methods, and not all of them are made equal, with advantages and disadvantages to consider.
Let’s take a look at what exactly MFA is
Multi-factor authentication, which is also known as two-factor authentication (2FA) is a system whereby you’re asked to prove your identity in more than one way before you can access a system. MFA will typically combine
- Something you know (e.g. password or PIN)
- Something you have (e.g. phone, hardware token)
- Something you are (e.g. fingerprint, facial recognition)
This approach, with its layers of authentication, is one of the best ways to bolster the security of your systems and will make it much more difficult for cyber attackers to access your system. Even if a password is stolen or guessed (still depressingly easy to do) then the attacker would need another factor to successfully crack the system. Add another required factor and the hacker’s task becomes very unlikely to succeed.
In its Digital Defence Report 2025, Microsoft says that for individuals, using multi-factor authentication (MFA) – especially phishing-resistant MFA – can block over 99% of identity-based attacks.
What are the most common MFA methods?
It’s likely that you will have heard of some (if not all) of these, although the more complex ones are usually only familiar to those who specialise in cyber security.
SMS One-Time Passcodes (OTP)
This is a code that’s sent via text to your phone. It’s simple to operate and there’s no set-up cost. However, it is vulnerable to SS7 attacks, which exploit vulnerabilities in the core protocol that connects mobile phone networks, allowing attackers to intercept calls/texts, track real-time location and bypass SMS two-factor authentication by tricking networks into routing sensitive data to them.
It is also vulnerable to SIM-swapping and phishing. Cyber security bodies don’t recommend that SMS-based MFA is used any longer for exactly these reasons.
Email OTP
This is a system that sends a login code to your user’s email. While it’s easy to set up and works across devices, if the email account is compromised, all linked services are exposed.
Authenticator Apps (TOTP)
These apps, such as Google Authenticator will generate time-based codes that have to be entered onto the website that has requested them. They have the advantage that no internet is needed, thereby making them harder to intercept but if the user loses their phone, they will be locked out and the codes are still susceptible to phishing. Fake websites can trick users into entering codes that attackers promptly use.
Push Notifications
These work by sending the user a notification via an app, which the user then approves. This is both user-friendly and faster than having to enter a code, but it can be bypassed via what is known as “push fatigue” or phishing.
This is a cyberattack where hackers overwhelm users with repeated Multi-Factor Authentication (MFA) push notifications until the frustrated user approves one, accidentally granting the attacker access to the account, even though the user didn’t initiate the login.
Hardware Tokens (e.g. security keys)
These are physical keys – either USB or NFC (Near Field Communication) – that the user either inserts or taps at a terminal. They relate back to the “Something you have” layer of authentication that we mentioned earlier. They have the advantage that they are highly resistant to phishing and malware but they need to be purchased and staff need to be trained on how to use them. There is also the risk that they can be lost or stolen.
Biometrics (fingerprint, facial recognition)
This is a system that verifies identity using the physical characteristics of the user. It is very convenient to use and impossible to share, unlike hardware tokens. However, concerns have been raised about privacy and the risk of false rejections is always present. Some biometric systems are also spoofable.
Biometric spoofing attacks, also known as presentation attacks, involve tricking biometric systems by presenting fake samples like photos, 3D masks, silicone fingerprints or synthesised voices to impersonate legitimate users for unauthorised access, bypassing security measures like facial recognition or fingerprint scanners. Although this sounds like something out of Mission: Impossible, recent attempts by social media companies to impose age restrictions for viewing certain content have been circumvented by the use of realistic video game graphics, so it’s by no means as unlikely as it might first sound.
Passkeys / FIDO2
This is a passwordless login using cryptographic keys stored on the user’s device. FIDO2 stands for Fast IDentity Online 2.
It’s highly secure, resistant to phishing and is growing in platform support, although adoption is still underway and its successful use will rely on modern software compatibility.
FIDO2 and passkeys combine device-bound cryptographic keys that are unique per service and device, never expose reusable secrets and reject phishing by verifying the site before authenticating.
As can be seen from this summary, not all MFA methods are as effective as might first be thought. Some are significantly weaker. Ultimately, if you want a method that gives you the strongest protection currently available for your systems, then FIDO2 and hardware tokens are the way to go.
So what should your action plan be?
You can’t start a journey unless you know where you are, so the first thing to do is carry out an audit of your current MFA methods. Once you’ve done that, it’s time to switch your weak MFA to stronger options. Immediately, replace SMS/email OTP with authenticator apps (time-based one-time password).
In the medium term, you will need to consider adding hardware keys or FIDO2 support, especially for admin or high-privilege accounts.
Rather than rush into implementing hardware and FIDO2 solutions business-wide, pilot it so that you can identify areas that will need addressing, based on what the responses from the pilot group show. Choose a small group of users who you can be sure will buy into the process and who can act as advocates when it’s rolled out across the business; provide them with security keys (e.g. YubiKey or Google Titan), then set up their registrations and start to train your employees.
As we mentioned earlier, robust backup procedures will ensure that your new cyber security measures continue to protect your business against both outside attack and human error within. Define the recovery steps for lost devices (e.g. use backup keys, recovery codes).
Staff who know what’s going on and why will be far more likely to buy into your new processes and ensure compliance. Therefore, run awareness programmes to enable them to spot phishing and, in conjunction with this, explain the need for stronger MFA.
Once you’ve got your new MFA system in place, you will need to monitor and enforce it. Use access logs to review MFA failures or suspicious behaviour. MFA methods can be enforced via IAM (Identity and Access Management tools (e.g. Azure AD, Okta, Google Workspace).
It’s now time to plan your phased roll-out. The best starting point is with executive, finance and customer service teams; the business-critical areas of your organisation. You can then, using lessons learned from that stage of the roll-out, expand to all staff over the next weeks or months.
The best methods are no good if staff don’t know how to use them properly or they create so much friction that staff try to bypass them or create shortcuts. A programme of education, training, awareness, refresher courses and designing systems that can anticipate and deal with human error (e.g. a backup process for lost devices or tokens) can make your cyber security provision a lot more robust.
Of course, the roll-out isn’t the end of the process. You’ll need to review regularly, reassessing MFA strength every year (or more often) and definitely after major incidents. You will also need to remove any legacy methods and it’s imperative that you keep up with vendor enhancements, such as patches and updates.
In summary
Let’s take a look at the main features of each method, so we can compare them against each other:
| Method | How strong is the security? | When you should use it |
| SMS/email OTP | Weak | Low-risk, non-sensitive user access |
| Authenticator apps | Medium | General staff, day-to-day access |
| Push notifications | Medium – high | Helpful for convenience, vigilance needed |
| Hardware security keys | Very high – phishing resistant | High-privilege, compliance-critical system |
| FIDO2 / passkeys | Very high – user & phishing resistant | Ultimate for passwordless, secure login |
