Multi-Factor Authentication (MFA): Beyond Passwords
Passwords alone are no longer enough. With credential stuffing, phishing and brute-force attacks compromising millions of accounts every year, multi-factor authentication has become a baseline security requirement. This guide explains the different authentication factors, compares MFA methods from SMS codes to hardware security keys, and outlines a practical rollout strategy for your organisation.
What Is Multi-Factor Authentication?
Multi-factor authentication (MFA) requires a user to present two or more independent forms of evidence — called authentication factors — before access is granted. The principle is straightforward: even if an attacker steals one factor (such as a password), they cannot authenticate without the other factor (such as a code from a physical device they do not possess).
The three universally recognised categories of authentication factors are:
- Something you know — a password, PIN, or security question answer.
- Something you have — a smartphone, hardware token, smart card, or security key.
- Something you are — a biometric such as a fingerprint, face scan, or iris pattern.
True MFA combines factors from at least two different categories. Using two passwords is not MFA — that is simply two instances of the same factor. A password (something you know) plus a code from an authenticator app on your phone (something you have) is genuine two-factor authentication.
MFA Methods Compared
SMS One-Time Passwords
SMS-based MFA sends a one-time code to the user's registered mobile number via text message. It is the most widely deployed MFA method because virtually everyone has a mobile phone and no additional app or hardware is required. However, SMS is also the weakest form of MFA. Attackers can intercept SMS codes through SIM-swapping attacks (convincing or bribing a mobile carrier to transfer the victim's number to a new SIM), SS7 protocol vulnerabilities, or malware on the device. Despite these weaknesses, SMS MFA is still vastly better than no MFA at all.
Authenticator Apps (TOTP)
Authenticator apps such as Microsoft Authenticator, Google Authenticator, and Authy generate time-based one-time passwords (TOTP) as defined in RFC 6238. A shared secret is established during setup (typically by scanning a QR code), and the app generates a new six-digit code every 30 seconds using a cryptographic hash of the secret and the current time. Because the code is generated locally on the device, there is no SMS message to intercept. TOTP is significantly more resistant to phishing and interception than SMS and is the recommended minimum for most organisations.
Push Notifications
Push-based MFA sends a notification to the user's registered device (typically via a mobile app) asking them to approve or deny the login attempt. This is more convenient than typing a code — the user simply taps "Approve". Microsoft Authenticator, Duo Security, and Okta Verify all support push notifications. Some implementations display a number on the login screen that the user must match in the app, adding protection against MFA fatigue attacks (discussed below).
Hardware Security Keys (FIDO2 / WebAuthn)
Hardware security keys — such as the YubiKey, Google Titan Key, and Feitian keys — represent the gold standard of MFA. They implement the FIDO2/WebAuthn standard, which uses public-key cryptography and is inherently phishing-resistant. When you authenticate, the key verifies the origin (domain) of the authentication request before responding. If an attacker creates a fake login page on a different domain, the key simply will not respond — the user cannot be tricked into handing over a valid credential.
FIDO2 keys connect via USB-A, USB-C, NFC, or Lightning. They require no battery, no network connection, and no software installation on most modern operating systems and browsers. The private key never leaves the device, making it immune to remote theft.
MFA Method Comparison
| Feature | SMS OTP | Authenticator App (TOTP) | Push Notification | Hardware Key (FIDO2) |
|---|---|---|---|---|
| Security Level | Low–Moderate | Moderate–High | Moderate–High | Very High |
| Phishing Resistance | Low | Low–Moderate | Moderate | Very High |
| User Convenience | Moderate | Moderate | High | High |
| Requires Mobile Phone | Yes | Yes (or desktop app) | Yes | No |
| Requires Internet on Device | Cellular signal | No | Yes | No |
| Cost per User | Free (carrier SMS) | Free (app) | Free (app) | $30–$70 per key |
| Resistant to SIM Swap | No | Yes | Yes | Yes |
| Resistant to MFA Fatigue | N/A | Yes | Moderate (with number match) | Yes |
| Offline Capable | No | Yes | No | Yes |
Risk-Based and Adaptive MFA
Traditional MFA prompts the user for a second factor on every login, which can create friction and slow down workflows. Adaptive MFA (also called risk-based MFA) uses contextual signals to decide when to prompt for a second factor and which factor to require. Signals typically include:
- Location: is the user logging in from a recognised office IP or a new country?
- Device: is this a managed corporate device or an unknown personal laptop?
- Behaviour: does the login time and pattern match the user's normal habits?
- Risk score: has the user's password appeared in a known data breach?
A user logging in from their usual office laptop during business hours might not be prompted at all, while the same user logging in from an unrecognised device in a different country at 3 AM would be required to use a hardware key. Platforms like Azure AD Conditional Access, Okta Adaptive MFA, and Duo Risk-Based Authentication implement this approach.
Where to Enable MFA First
If you are just starting your MFA journey, prioritise these accounts and services in order:
- Admin and privileged accounts: domain admins, cloud administrators, firewall managers. These accounts have the broadest access and cause the most damage if compromised.
- Email accounts: email is the gateway to password resets for every other service. Compromise an email account and you can often compromise everything else.
- VPN and remote access: any service that provides direct access to the internal network from the internet must require MFA.
- Cloud applications: Microsoft 365, Google Workspace, Salesforce, and other SaaS platforms that contain sensitive data.
- All remaining users: once the above are secured, roll MFA out to every user account in the organisation.
MFA fatigue attacks are a growing threat. Attackers who already have a user's stolen password repeatedly trigger push notifications, hoping the frustrated user eventually taps "Approve" to stop the bombardment. Mitigate this by enabling number-matching (the user must type the number displayed on the login screen into the app) and setting rate limits on MFA prompts. Educate users to always deny unexpected MFA prompts and report them to IT immediately.
The Passwordless Future
The industry is moving toward a passwordless model where the password is eliminated entirely. Technologies like passkeys (built on FIDO2/WebAuthn) allow users to authenticate with just a biometric (fingerprint or face) on their device, which unlocks a cryptographic key stored in the device's secure enclave. There is no password to steal, phish, or forget.
Apple, Google and Microsoft have all committed to passkey support across their platforms. Windows Hello for Business, Apple's iCloud Keychain passkeys, and Google's credential manager are already enabling passwordless authentication at scale. For organisations, this means planning a migration path: start by deploying strong MFA today (TOTP or FIDO2 keys), then transition to passkeys as platform support matures and your identity provider adopts the standard.
The best password is the one that does not exist. Passkeys and FIDO2 security keys eliminate the single greatest vulnerability in authentication — the shared secret.
Yes — absolutely. While SMS is the weakest form of MFA due to SIM-swapping and SS7 vulnerabilities, it is still dramatically more secure than no MFA at all. Microsoft research shows that MFA blocks over 99.9% of automated credential-stuffing attacks, regardless of the method used. If SMS is the only option available, enable it. Then plan a migration to authenticator apps or hardware keys.
This is why it is standard practice to register two keys per user — a primary and a backup. The backup key should be stored in a secure location (such as a locked drawer or safe). If both keys are lost, the user must go through an identity verification process with IT to have their MFA reset. Some organisations also configure a fallback method (such as a TOTP app) for emergency access.
No security measure is absolute. Advanced attacks like real-time phishing proxies (Evilginx, Modlishka) can intercept TOTP codes as the user types them. SIM-swapping defeats SMS MFA. MFA fatigue defeats push notifications if the user is not vigilant. FIDO2 hardware keys are the most resistant to all known attack vectors because they verify the origin domain cryptographically, but even they require secure account recovery processes to prevent social-engineering bypasses at the helpdesk.
Two-factor authentication (2FA) is a subset of MFA that uses exactly two factors. MFA is the broader term that covers two or more factors. In practice, most consumer and business implementations use two factors (password + one additional method), so the terms are often used interchangeably. Some high-security environments require three factors — for example, a password, a smart card, and a fingerprint scan.
Passkeys are based on the FIDO2/WebAuthn standard. When you register a passkey with a service, your device generates a unique public-private key pair. The private key is stored in the device's secure enclave (protected by your biometric or device PIN), while the public key is sent to the service. At login, the service sends a challenge, your device signs it with the private key after biometric verification, and the service verifies the signature with the public key. No shared secret ever crosses the network.
