The Pros and Cons of Different MFA Methods

Multi-Factor Authentication (MFA) helps add an extra layer of security to accounts, but it’s important to understand that not all MFA methods are created equal in terms of ease of use and security. In this blog, we’ll go over the different types of MFA methods, along with the pros and cons of each. 

SMS-based MFA

SMS-based MFA allows users to verify their identity through a One-Time Password (OTP) sent to their phone. When a user attempts to log in to their account, the system sends a unique OTP via text message to the associated phone number. The user must then enter the code into the login interface to complete the authentication process and gain access to their account. 

Pros

1. Easy to set up and use: Users need only a valid phone number.

2. Widely available: Almost all mobile phones can receive SMS messages, whether they are smartphones or basic phones. 

3. No special hardware required: Users need only a mobile phone capable of receiving messages. 

Cons

1. Vulnerable to SIM swapping: An attacker can convince a user’s mobile carrier to transfer the user’s phone number to a new SIM card that the attacker controls. This allows attackers to intercept SMS messages, including OTPs. 

2. Vulnerable to phishing: Attackers may impersonate legitimate organizations through text messages, tricking users into revealing their OTPs.

3. Not as secure as other MFA methods: SMS messages are not encrypted, which means there is a risk that the OTP could be intercepted during transmission. 

Email-based MFA

Email-based MFA allows users to verify themselves through a code or magic link sent to their registered email address. When a user attempts to log in to their account, they receive an email with an OTP or a magic link. The user must then enter the OTP or click the magic link to complete the authentication process and gain access to their account. 

Pros

1. Easy to set up and use: Users need only an email address, which most already have. 

2. No need for extra apps or devices: It requires only a device with access to the user’s email account, whether it is a smartphone, tablet or computer. 

Cons

1. Vulnerable to email account compromise: If a user’s email account is compromised, an attacker can gain access to the OTP and bypass MFA. 

2. Relies on email availability: If the user cannot access their email account due to issues like an unavailable internet connection or service outages, they will be prevented from logging in to their account since no OTP or magic link can be received. 

Voice call authentication

Voice call authentication allows users to verify themselves through an OTP delivered via voice call to the registered phone number associated with their account. When a user attempts to log in to their account, they receive an automated voice call in which the system reads out a unique OTP. The user then enters this code into the login interface to complete the authentication process and gain access to their account. 

Pros

1. Simple and accessible for users without smartphones: Does not require users to have a smartphone or data plan, unlike SMS-based or authentication applications. Only a basic mobile phone capable of receiving calls is needed. 

2. Works without needing an internet connection: As long as the user has access to the mobile network, they can receive a voice call with the OTP regardless of internet access.

Cons 

1. Vulnerable to SIM swapping: An attacker can convince a user’s mobile carrier to transfer the user’s phone number to a new SIM card that the attacker controls. This allows attackers to intercept the OTP sent via voice call.

2. Vulnerable to spoofing and vishing: Attackers can spoof the phone number of a legitimate service and trick users into believing they are receiving an OTP call. The attacker may then request sensitive information or convince the user to enter the OTP on a malicious site. 

3. Hearing impairment limitations: Users with hearing difficulties may not be able to hear the OTP provided during the call clearly. 

Authenticator apps

Authenticator apps are applications that generate OTPs based on the Time-Based One-Time Password (TOTP) verification model. Quality password managers typically have an authenticator app function within the platform, allowing users to save and access codes across all devices.

When setting up MFA with an authenticator app, users either scan a QR code or manually input a secret key. Using this key, the app applies an algorithm to generate unique, time-sensitive OTPs that change every 30 to 60 seconds. When a user attempts to log in to their account, they must enter the code displayed in the authenticator app. The server verifies if the entered code matches the one it generated, and if it does, the user is granted access. 

Pros

1. Available offline: It does not require an internet connection to generate OTPs, as the app relies on the secret key stored on the device to generate time-based codes. 

2. Free to use: Most authenticator apps are free to download and use, making it a secure yet cost-effective MFA solution. 

Cons

1. Requires a smartphone or other dedicated device: Users must have access to a device that supports the app.

2. Vulnerable to app-specific attacks: If an attacker gains access to a user’s device, they could access the stored secret keys to generate OTPs for unauthorized access. 

3. Can be challenging for some users: The process of installing the app, scanning a QR code and managing multiple online accounts within the app might be overwhelming for less tech-savvy users. 

FIDO2 security keys

A FIDO2 security key is a hardware-based MFA method designed to enable users to securely log in to their accounts without needing to enter a password or code. It is a physical device that a user connects to their computer or mobile device, typically via USB, NFC or Bluetooth. FIDO2 security keys use public-key cryptography to create a pair of keys: a public key stored on the server and a private key stored securely on the security key itself. When a user attempts to log in to an account, they insert the FIDO2 security key when prompted and tap it, signing the authentication challenge with the private key to verify their identity. 

Pros

1. Immune to man-in-the-middle attacks: Attackers cannot intercept data between the user and server because they won’t have the private key required to complete the authentication. 

2. Immune to phishing attacks: Attackers cannot trick users into revealing private key or authentication codes because of the reliance on public-key cryptography and the physical requirement of the security key.

3. Resistant to SIM swapping: The security keys do not rely on a phone number, so the vulnerability to SIM swapping is eliminated. 

4. Works across various apps and websites: FIDO2 security keys are widely supported across major browsers, platforms and devices.

Cons 

1. Costs money: FIDO2 security keys can be priced from $20 to $100 or more, depending on the features and brand. 

2. Loss of the key can result in lockout if no backup method is configured: If a user loses their FIDO2 security key, they may be locked out of their account unless they have a backup authentication method, such as another key, a backup code or a recovery option. 

3. Requires a physical device: Users must always have the key with them to authenticate, which can be inconvenient if it is ever misplaced, forgotten or not easily accessible. 

Hardware tokens

Hardware tokens are physical devices, such as key fobs or smart cards, used to verify a user’s identity by generating TOTP codes. When a user attempts to log in to their account, the system prompts the user to enter the OTP generated by the hardware token. Depending on the token type, the user will either read the code from the device’s screen or press a button to display the code, which they then enter into the login interface. The server checks whether the entered code matches the one it generates based on the shared secret and the current time. If the codes match, the user is granted access.

Pros

1. It generates OTPs even without an internet connection: This makes it ideal for users in environments where an internet connection is not available. 

2. Easy to set up and use: The user simply needs to link the hardware token to their account, and it is ready to generate OTPs automatically without any further intervention. 

Cons

1. Costs money: Users or organizations must purchase the physical device, which can add up, especially for larger enterprises that need to provide tokens for several or all users. Tokens can range in price from $20 to $100 or more. 

2. Lost or stolen tokens: Users might not be able to access their accounts until a replacement is provided, which can be time-consuming. 

3. Requires a physical device: Users need to carry the tokens with them at all times to access their accounts, which can be inconvenient if a token is misplaced or forgotten. 

Biometric authentication

Biometric authentication is a type of MFA method that uses physical or behavioral characteristics to verify a user’s identity. Unlike traditional passwords or OTP codes, biometric authentication relies on unique traits inherent to each individual. These traits can include fingerprints, facial features, voice patterns, iris or retina scans or even typing patterns. When a user attempts to log in, the system captures and analyzes their biometrics and compares them to stored data from the initial setup to verify their identity. 

Pros

1. Fast, easy and requires minimal setup: The initial setup requires the user to scan their fingerprint, face or another biometric trait. Once set up, authentication requires nothing more than a glance or touch. 

2. Unique to each user: Biometric traits are difficult to replicate, and the probability of two people having the exact same fingerprint, facial features or retina pattern is extremely low. 

Cons

1. May not work effectively in certain circumstances: For example, if a user’s finger is dirty or injured, the system may struggle to read the fingerprint correctly. Similarly, if they’re wearing glasses, masks or hats, the system may fail to accurately scan the face. 

2. Concerns over privacy and misuse of biometric data: If biometric data is stored or accessed insecurely, it can be vulnerable to theft or misuse. 

3. Potential for false positives: For example, twins or similar-looking individuals with similar facial features may trigger a false positive. 

Push notifications

Push notifications allow users to verify their identity by receiving a notification on their mobile device. When attempting to log in, instead of needing to enter an OTP code, the user receives a push notification prompting them to approve or deny the login attempt. By selecting “approve,” the user verifies their identity and confirms that they are the one initiating the login without having to manually enter a code. 

Pros

1. Quick approval process: Unlike OTP methods, where the user has to wait for a text message and enter a code, the approval process for push notifications is instantaneous. 

2. More secure than SMS: Push notifications are delivered through an encrypted connection to the server, which makes them less vulnerable to interception. 

Cons

1. Requires a smartphone or device to receive the push notification: A device capable of receiving notifications is required to complete the authentication process.

 2. May not be effective if the user’s phone is lost, stolen, offline or in airplane mode: If a user does not have their smartphone or is in a situation where their device is unavailable, they cannot access their accounts. 

What to consider when choosing an MFA method

When deciding which MFA method to use, it’s important to evaluate several factors to ensure that the chosen solution meets your specific requirements. These factors include your security needs, convenience and cost of implementation. 

• Security needs: The level of security you need will vary depending on the sensitivity of the information being protected. For highly sensitive data, it is best to choose an MFA solution that offers the highest level of protection. Solutions like biometrics, hardware tokens or FIDO2 security keys are considered the strongest forms of MFA due to their resistance to common cyber threats. 
• User convenience: Evaluate your preference between ease of access and maximum security. It’s important to find a balance between simplicity and security to ensure a user-friendly experience while still protecting sensitive information. If convenience is a priority, solutions like biometrics or push notifications are ideal, as they offer quick and seamless authentication. 
• Cost: Assess both the initial cost of implementation and the ongoing maintenance cost. Some MFA solutions may have low costs, such as SMS-based authentication, while others, like hardware tokens or FIDO2 security keys, can be more expensive to deploy and maintain. 

Protect your accounts with secure MFA methods

Understanding both the advantages and disadvantages of different methods is crucial when selecting the right MFA solution. Regardless of the method you choose, always enable MFA for every account that offers it as an option. Any MFA option is far more secure than having none at all. 

Keeper Password Manager allows you to store, access and securely share TOTP codes – it even automatically fills them in for you. This enables all users in your organization to use strong passwords and enable MFA for every account.

Start a free 14-day trial of Keeper Password Manager to enhance your account security.