Contact
Back to Blog
Identity & Access 7 min read

Multi-Factor Authentication: Not All MFA Is Created Equal

SMS codes are better than nothing, but they’re not secure. Understand the different MFA methods and which ones actually protect against attacks.

If you’re reading this in 2026, you’ve probably been told to "enable MFA" hundreds of times. Maybe you already have it turned on for your important accounts.

But here’s what nobody tells you: not all MFA is created equal.

Some MFA methods barely improve security. Others make accounts virtually unbreakable. Understanding the difference could save your organization from a security incident.

What Is Multi-Factor Authentication?

MFA requires users to prove their identity using multiple factors:

  • Something you know — Password, PIN
  • Something you have — Phone, security key, smart card
  • Something you are — Fingerprint, face recognition, iris scan

The idea: Even if attackers steal your password, they can’t access your account without the second factor.

In practice, some MFA methods are far stronger than others.

MFA Methods Compared: At a Glance

Feature
Hardware Keys
Passkeys
Authenticator Apps
Push Notifications
SMS Codes
Phishing Resistant
Works Offline
No User Code Entry
Requires Hardware $20-50 None None None None
Setup Complexity Low Low Low Low Very Low
Security Rating Excellent Excellent Good Good Weak

Our Top Recommendations

Hardware security keys and passkeys are highlighted as the gold standard for maximum security. Use these for administrator accounts and high-value users.

Detailed Analysis: Pros & Cons of Each Method

🔵 Hardware Security Keys (The Gold Standard)

How it works: Physical tokens (YubiKeys, Titan Keys) that prove identity through cryptographic challenge-response. Users plug in or tap the key to authenticate.

Why it’s the best:

  • ✅ Phishing-resistant through domain binding
  • ✅ No man-in-the-middle attacks possible
  • ✅ Works offline—no network needed
  • ✅ Simple user experience—just tap or plug in
  • ✅ Immune to SIM swapping and SMS interception

Considerations:

  • ⚠️ Costs $20-50 per key
  • ⚠️ Can be lost or damaged (register 2 keys per user)
  • ⚠️ Requires USB/NFC support on devices

Our Verdict

The gold standard. Use for administrator accounts and high-value users. The $50/user cost is insignificant compared to incident recovery costs.

🔵 Passkeys (FIDO2/WebAuthn) (The Future)

How it works: Device-based cryptographic authentication that works like hardware keys but syncs across your devices via iCloud, Google, or password managers.

Why it’s transformative:

  • ✅ All security benefits of hardware keys
  • ✅ Syncs across devices via iCloud/Google/password managers
  • ✅ No single point of failure
  • ✅ No passwords or codes to remember
  • ✅ Backed by Apple, Google, Microsoft

Current limitation:

  • ⚠️ Not all services support it yet (but adoption growing rapidly)
  • ⚠️ Requires understanding of which devices have access

Our Verdict

The future of authentication. Enable everywhere it’s available. Adoption is growing rapidly across major platforms.

🟢 Authenticator Apps (TOTP)

How it works: Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes on your device.

Why it’s better:

  • ✅ No SMS interception risk
  • ✅ Works offline
  • ✅ Not vulnerable to SIM swapping
  • ✅ Easy to set up
  • ✅ Free solutions available

Remaining weaknesses:

  • ⚠️ Can still be phished in real-time attacks
  • ⚠️ Users can be socially engineered into sharing codes
  • ⚠️ Device loss means lockout without backup codes

Our Verdict

Solid choice for most accounts. Easy to set up, significant security improvement over SMS. Store backup codes in a password manager.

🟢 Push Notifications

How it works: Apps like Microsoft Authenticator or Duo send push notifications asking you to approve login attempts.

Why it’s better:

  • ✅ No codes to type—very user-friendly
  • ✅ Shows login location and device information
  • ✅ Can't be phished through fake websites

Remaining weaknesses:

  • ⚠️ MFA fatigue attacks—spam until users approve accidentally
  • ⚠️ Users may approve without reading details
  • ⚠️ Requires network connection
  • ⚠️ Enable number matching to prevent fatigue attacks

Our Verdict

Good for usability, but requires user awareness. Enable number matching (user must enter a displayed number in the app) to prevent fatigue attacks.

🔴 SMS Codes (Least Secure)

How it works: You receive a 6-digit code via text message and enter it to prove identity.

Why it’s weak:

  • ❌ SIM swapping attacks
  • ❌ SS7 vulnerability allows SMS interception
  • ❌ Compatible with real-time phishing
  • ❌ No cell signal = no access
  • ❌ Avoid for privileged accounts

Minimal benefits:

  • ⚠️ Better than password-only
  • ⚠️ Familiar to most users
  • ⚠️ No app installation required

Our Verdict

Better than password-only, but barely. Avoid for privileged accounts. Upgrade to authenticator apps or hardware keys as soon as possible.

What About Biometrics?

Fingerprints, face recognition, and other biometrics are local authentication methods. They unlock your device, which then uses one of the above methods to authenticate to services.

For example:

  • Face ID unlocks your iPhone
  • iPhone uses a passkey to authenticate to your Google account

Info

Biometrics add convenience and security at the device level, but the MFA method used by the service still matters.

Real-World Attack: ShinyHunters SSO Campaign (January 2026)

Recent news highlights why MFA method matters:

The ShinyHunters extortion gang launched sophisticated voice phishing attacks targeting SSO accounts at Okta, Microsoft, and Google. Their goal: bypass MFA and compromise corporate SaaS platforms.

How they did it:

  1. Phished user credentials through fake login pages
  2. Called victims pretending to be IT support
  3. Convinced users to approve MFA push notifications
  4. Gained access to corporate applications

Which MFA Would Have Stopped This?

  • ❌ SMS codes — Could have been requested and shared
  • ❌ Push notifications — Were socially engineered
  • ✅ Hardware security keys — Impossible to phish through fake websites
  • ✅ Passkeys — Cryptographically tied to real domain

Choosing the Right MFA for Your Organization

For Administrator Accounts

Hardware security keys (YubiKeys) or passkeys. No compromises.

For General Users

Authenticator apps (TOTP) with push notifications as a convenience option. Enable number matching to prevent MFA fatigue.

For High-Risk Industries

Mandate hardware keys for all users. The $50/user cost is insignificant compared to incident recovery costs.

Avoid

SMS and email codes for anything important. They’re better than nothing, but "better than nothing" isn’t good enough in 2026.

Implementation Tips

  1. Require MFA for everyone — No exceptions, no matter how senior
  2. Disable SMS fallback for admins — Remove the weakest link
  3. Distribute backup keys — Give admins a second hardware key to store securely
  4. Enable conditional access — Require stronger MFA for sensitive actions
  5. Monitor for MFA bypass attempts — Alert on failed MFA attempts or push spam

The Bottom Line

MFA is essential, but the method matters. SMS codes are better than nothing. Authenticator apps are good. Hardware keys and passkeys are best.

Choose MFA methods based on risk, not convenience. Your administrator accounts deserve the strongest protection available.

Need help implementing strong MFA?

OSA configures phishing-resistant authentication across identity platforms like JumpCloud, Microsoft Entra ID, and Okta.

Let’s secure your accounts

Related Articles

Identity & Access

Passwordless Authentication: The Future of Identity Security

7 min read

Explore Our Identity & Access Solutions

Solutions

Managed Services