15 Mar 2021
Best practiceMFA

Which MFA methods should you use?

Andy Waugh
6 minute read
Push square illustration

We all know Multi-Factor Authentication (MFA) is a good idea but how important is the "factor" you choose? From the classic SMS to the modern Yubikey, and everything in-between, we've got you covered when it comes to MFA methods.

Before we start, MFA with any method is better than no MFA at all. Although some methods are better than others, they're all leagues ahead of passwords alone. If, for whatever reason, you can only implement MFA using a weaker second factor, you should still do it. You can always improve later and you'll have made a significant improvement even with the weaker second factor.

So, how can one factor be better than others? Here's how we think about it:

  • User experience: how easy is it to use?

  • Security: how easy is it for someone to compromise?

  • Cost: do you need to upgrade your SaaS license, or buy physical bits?

  • Support: how widely can it be used?

Just want the answers?

  • Using an app on your phone, like Microsoft or Google Authenticator, to receive notifications or use a one-time password are the top all-round options today - they're free, intuitive for users, relatively easy to set up, and widely supported.

  • The gold standard is a FIDO2-capable security key, like the YubiKey 5 series, or a security key built-in to your device, like Touch ID - it's the most secure, provides the best user experience, but has an upfront cost as each user will need a key or a compatible device. The main drawback today is they aren't supported on all platforms yet so might not be an option everywhere.

  • Factors that rely on your phone number, such as SMS and phone calls should be avoided if possible as they are the least secure and provide the worst user experience.

Here's a summary:

App Notification

One of the most common methods today is the app notification. Using an app on your phone, like Microsoft Authenticator, to receive a push notification when you login.

Free, easy to use, and secure - this is a good choice if your users all have devices to install the app on and will reliably have a network connection to receive the notification.

Your challenges with using this method will be getting the app setup on everyone's device, getting everyone enrolled, and making sure users understand to only hit approve when they actually performed a login (seriously).

App Code

The early days of MFA looked like RSA tokens; those devices you used to have to carry on a key chain with a code that changed every minute. Those devices worked by having a "seed" value that both the device and the server knew which changed predictably. So long as that seed value stayed safe, this provided a convenient second factor for users that was difficult to compromise.

Today, this approach is more common via an app, where the app provides a code that changes every minute, but the concept is exactly the same.

This approach uses what is officially called One Time Passwords (OTP) but is often just referred to as an app code. It has some advantages, such as not needing signal after setup which can be handy if that's a concern.

However, as was true of the RSA tokens of the past, if the seed value is compromised all future values can be predicted. The odds of this happening in practice are exceptionally low so this remains a good choice.

Your challenges with using this method will again be mostly in rolling it out to all users and getting everyone setup.

Text message / phone call

As MFA gained popularity, receiving a code via text message (SMS), or sometimes a phone call, quickly became the de-facto method. Before everyone had smartphones and therefore the ability to install apps, using text messages or phone calls was the only way to implement MFA without having to provision RSA tokens for everyone in the team.

The major downside to using these methods is their reliance on the security of the phone number. If attackers really want to target an account, and they know the phone number used for MFA, they can try something called SIM-swapping to hijack the phone number, and hence nullify the MFA.

The most important thing to note in that scenario is how targeted it is. With no MFA, any attacker on the Internet can simply guess passwords on an account - the cost is extremely low. To bypass SMS or phone call MFA using SIM swapping has a significantly higher cost. The attack is definitely practical, but would only happen when you're specifically targeted.

Additionally, the user experience isn't as good. Firstly, the user must have mobile signal to receive the SMS or call. Secondly, there can often be a delay in delivery, due to the less-reliable mobile network. Finally, there is almost always a usage cost associated with these methods, since it costs money to send SMSs or make phone calls.

Because of this, SMS or phone calls are often considered least desirable MFA methods today.

Security keys

FIDO2 is the name for a set of authentication protocols and standards developed by a consortium of tech companies to be the future of authentication. FIDO2 solves a lot of the problems we've dealt with in the past: it's secure, usable, impossible to spoof.

Without digging into the weeds of how that works (the official page from the FIDO alliance is worth a read if you're interested), you will need what's commonly referred to as a "security key" to make use of it. This is a small physical device, often plugged into your USB port - modern devices that understand FIDO2, like the YubiKey 5 Series, are preferable. Once setup, you simply touch the key on login and the magic of cryptography ensures a high degree of security.

In fact, this approach is so secure, it is the basis of a "passwordless" revolution, where this strong factor of authentication can feasibly be used as a single-factor of authentication, and users don't even need to remember passwords anymore. Though in its infancy at the moment, expect to hear more about that in the coming years.

The primary drawback of this method is the cost, with devices typically costing around $50 each. Also, although you can expect them to be supported on major platforms, they aren't supported as widely as other methods just yet.

If you are unable to justify their cost for all users, a common implementation is to use security keys for high privilege accounts.

Built-in security keys

Many modern mobile devices like laptops, tablets and phones have built-in security keys (e.g. Apple TouchId,  Android phones, and Windows Hello). These have many of the advantages of stand-alone security keys, but without the cost!

Support for these keys is a fairly recent development and is still ongoing but opens up an exciting future where users will increasingly be able to very easily add a second factor, or even go passwordless, in a secure way, without much effort or thought.

In conclusion there are multiple options you can choose from to fit almost any scenario you have. While some options are better than others, even the worst option is still a massive improvement on passwords alone. In the end, the best MFA method is the one you can start rolling out today, you can always improve down the line.