Not All Multi-Factor Authentication Methods Are Equally Secure

Not All Multi-Factor Authentication Methods Are Equally Secure

Password attacks, such as phishing, man-in-the-middle, brute force, and credential stuffing, were responsible for 81 percent of data breaches in 2020.

To protect themselves against them, organizations large and small are enabling multi-factor authentication (or just MFA for short), which is known to prevent 99.9 percent of account compromise attacks, according to Microsoft engineers.

But there are many multi-factor authentication methods organizations can choose from, and they are not all equally secure.

Overview of Multi-Factor Authentication Methods

The basic idea behind multi-factor authentication is to prevent unauthorized access by requiring an additional piece of evidence to be presented during a login attempt. This additional piece of evidence can be:

  • Something the user knows (such as a PIN code)
  • Something the user is (such as a fingerprint scan)
  • Something the user has (such as a security token)

To complicate things even further, there are often multiple ways of delivering the additional piece of evidence. For example, a PIN code can be delivered via an SMS message, a push notification, or a dedicated authenticator app.

While the available multi-factor authentication methods may seem equally capable of stopping password attacks dead in their tracks, the fact is that the difference between the least and most secure method is rather dramatic.

Ranking of Multi-Factor Authentication Methods

Now that we’ve established that not all multi-factor authentication methods are equally secure, let’s take a closer look at the most common ways MFA is used in practice and discuss the pros and cons of each, starting with the weakest method.

Weakest: SMS- and Voice-Based Authentication

If there’s one MFA method that you definitely want to avoid, it’s SMS- and voice-based authentication. The U.S. federal government stopped using it back in 2016 because cybercriminals have figured out multiple effective techniques that allow them to bypass it.

The techniques used by cybercriminals to bypass SMS- and voice-based authentication include good old social engineering, smartphone-specific malware, and the so-called SIM-swapping attacks, which exploits a mobile phone service provider’s ability to transfer SIM card information between devices.

Good Enough: Mobile-Based Authentication

Various mobile-based authentication methods have emerged as the most convenient secure alternative to SMS- and voice-based authentication. They include authentication apps, such as Google Authenticator, Microsoft Authenticator, or Authy, push notifications, and biometrics.

Since virtually all employees carry at least one smartphone with them all the time, they don’t have to jump through many hoops to get started with mobile-based authentication. Best of all, authentication apps, push notifications, and biometrics are all resistant to both SIM-swapping attacks, depriving cybercriminals of one of their most favorite methods.

Best: Hardware-Based Authentication

When it comes to preventing unauthorized login attempts, hardware-based authentication using tokens in a key-fob format is hard to beat, even though it’s one of the oldest MFA methods. The best hardware authentication tokens support passwordless authentication, completely eliminating the need to enter a username and password.

Unfortunately, hardware-based authentication is arguably the least convenient MFA method since it requires employees to carry with them a single-purpose device they have no other use for. Forgetting this device means being unable to log in to important websites and applications. That’s why many organizations decide to go with the good enough option instead.


The bottom line is that some multi-factor authentication methods are significantly more secure than others. If possible, avoid SMS- and voice-based authentication and use mobile-based and hardware-based authentication methods instead.

Leave a comment!

Your email address will not be published. Required fields are marked *