MFA Types Compared: TOTP, Push, SMS, Hardware Keys, and More — N2CON Resources
Note: This is general information and not legal advice.
On this page
Not all MFA is equal. Some methods resist phishing; others are trivial to bypass. This guide compares the six main approaches, ranked from strongest to weakest.
Quick Comparison
| Method | Security | Phishing Resistant | Cost/User | Best For |
|---|---|---|---|---|
| Hardware Security Keys | Highest | $20-50 | Admins, executives, finance | |
| Number-Matched Push | High | Free* | General staff, contractors | |
| TOTP Authenticator Apps | Medium | Free | Fallback, BYOD scenarios | |
| Basic Push Notifications | Medium | Free* | Not recommended for new deployments | |
| SMS/Phone Call | Low | Free | Break-glass only, rare edge cases | |
| Email MFA | Lowest | Free | Not recommended |
* Requires identity platform subscription (Microsoft Entra ID, Okta, etc.)
Tiered Recommendations
Privileged Accounts
Admins, executives, finance, security teams
- → Primary: Hardware security keys
- → Backup: Number-matched push
General Staff
Regular employees, contractors, remote workers
- → Primary: Number-matched push
- → Backup: TOTP authenticator app
Break-Glass
Emergency access, locked-out scenarios
- → SMS: Only for emergencies
- → Hardware: Spare keys in physical safe
Method Details
Hardware Security Keys
FIDO2 / WebAuthn
Physical USB/NFC devices that perform cryptographic authentication within the key itself. No secrets leave the hardware.
Strengths
- Phishing-proof by design
- No battery or network needed
- Resists cloning
- Verifies domain binding
Considerations
- $20-50 per user cost
- Can be lost or broken
- Requires USB/NFC port
- Backup method needed
Number-Matched Push
Phishing-Resistant Mobile MFA
User matches a number displayed on the login screen with their phone app, proving they see both devices and aren't being phished.
Strengths
- Phishing-resistant
- No cost per user
- Works with existing phones
- Easy user experience
Considerations
- Requires mobile network
- Phone can be stolen
- App installation needed
- Platform-dependent
TOTP Authenticator Apps
Microsoft, Google, Authy
Time-based codes generated every 30 seconds from a shared secret. Works offline but vulnerable to phishing and real-time interception.
Strengths
- Works without connectivity
- Free apps available
- Cross-platform support
- Widely understood
Considerations
- Phishing vulnerable
- Codes can be stolen
- Time sync required
- Secret storage risks
SMS & Phone Calls
Use Sparingly
Codes sent via text message or automated phone call. Convenient but highly vulnerable to SIM swapping and interception.
NIST recommendation: Avoid SMS for sensitive accounts. Reserve for break-glass scenarios only.
Strengths
- No app installation
- Familiar to users
- Works on basic phones
- Emergency fallback
Vulnerabilities
- SIM swapping attacks
- SS7 interception
- Social engineering
- Real-time phishing
Methods to Avoid
Email-Based MFA
If your email is compromised, MFA via email offers no protection. Creates circular dependency.
Unverified Passkeys
Early implementations lack phishing resistance. Verify FIDO2 certification before deployment.
Personal Device Policy
The Dilemma
MFA protects both company and employee, but requiring personal devices for work functions raises privacy concerns and creates liability questions.
Practical Approaches
- Provide options: Offer hardware keys for those who prefer not to use personal phones
- Clear policy: Document what data the MFA app accesses (usually just device ID)
- Offboarding: Remove app access promptly when employees leave
- Support: Help desk trained on MFA troubleshooting
Red Flags in MFA Deployment
SMS as primary method
No backup methods configured
Same method for all users
No help desk training
Key Takeaways
Tier your approach
Hardware keys for privileged accounts. Number-matched push for general staff. SMS only for break-glass.
Phishing resistance matters
Number-matched push and hardware keys verify the user sees the real login page, defeating phishing sites.
Always have a backup
Users will lose keys, break phones, travel internationally. Plan for recovery before you need it.
MFA is not a checkbox—it's a security control that varies dramatically in strength. The right mix depends on your risk profile, user base, and budget. Start with phishing-resistant methods for your highest-risk accounts and build out from there.
Common Questions
What is the most secure type of MFA?
Hardware security keys (FIDO2/WebAuthn) and phishing-resistant methods like number-matched push notifications are strongest. They resist phishing, man-in-the-middle attacks, and credential theft better than SMS or basic TOTP codes.
Why is SMS-based MFA considered weak?
SMS codes can be intercepted through SIM swapping, SS7 attacks, or social engineering of mobile carriers. They are also vulnerable to phishing sites that ask users to enter the code in real-time.
Should employees use personal phones for MFA?
MFA protects both the employee and the company, but forcing personal device use raises privacy and fairness concerns. Best practice: provide company-managed options (hardware keys, managed devices) while acknowledging that some methods require personal devices.
What is TOTP and how is it different from push notifications?
TOTP (Time-based One-Time Password) generates codes locally on the device using a shared secret and current time. Push notifications send an approval request from the server to the device. TOTP works offline; push requires connectivity.
Are hardware security keys worth the cost?
For privileged accounts (admins, executives, finance), absolutely. For general staff, the cost ($20-50/user) may not justify the security gain if other phishing-resistant methods (number-matched push) are available.
Related resources
Sources & References
Need help choosing the right MFA mix for your environment?
We can assess your risk profile, user base, and compliance needs to recommend the right combination of MFA methods.
Contact N2CON