Which Method of Multi-Factor Authentication is Most Secure? (and Other MFA Considerations)

Which Method of Multi-Factor Authentication is Most Secure (and Other MFA Considerations)

Breaches of passwords account for 77% of all cloud account breaches. No matter how much companies stress the need for employees to adopt good password habits, it doesn’t always happen.

The problem is that people have too many passwords to remember, so they have a hard time keeping track of hard, unique passwords for all their accounts. This leads to passwords being reused across multiple accounts (personal and work), and weak passwords that are easy to hack.

Credential compromise and the resulting insider attacks have become a major cybersecurity threat. Insider attacks have risen 47% over the past two years, and many of these are perpetrated by a hacker that has gained system access through legitimate user login.

What’s the best way to secure account passwords and stop unauthorized access? By enabling multi-factor authentication (MFA).

MFA can block as many as 100% of fraudulent sign-in attempts, depending upon the method you use.

What Are the Different Types of MFA?

Multi-factor authentication is the process of requiring a second authentication method in addition to a username and password entry. This puts up a barrier for hackers because even if they have the password, they can’t gain account access.

When MFA is enabled, the user takes an extra step after their password is accepted. They must retrieve a code that is sent to a physical device. This code is then entered into the webform to complete the login and gain access.

This system is largely effective at blocking fraudulent sign-in attempts because in most cases, a hacker won’t have physical possession of the device used to receive the MFA code.

They also don’t have enough time to hack that code, because codes are unique for each login and only active for approximately 5-10 minutes.

There are three ways that you can receive the code:

  • Via SMS to a mobile number
  • Via on-device prompt through an authentication app
  • Via a security key that is plugged into a device

Does it matter which method you use?

While all provide significant protection against account takeovers, there are some security differences between them. We’ll go through those next.

MFA Comparison: SMS vs App vs Security Key

For the multi-factor authentication security comparison, we are referencing a study by Google that looked at how effective each of the three methods below was against three different types of attacks.

Google MFA Study


Most people are used to setting up MFA for work and personal accounts and having the code sent to them by text. This is the most widely used method for receiving the MFA code and the easiest for users because they’re used to getting text messages for other reasons, so there’s no learning curve.

Security Level: Lowest of the three methods

SMS is between 76% to 100% effective against account attacks, depending upon the method used. The reason this method is the least secure of the three is that SIM cards can be cloned, which can give a hacker access to that phone number’s text messages, allowing them to access an MFA code. Additionally, mobile numbers can be paired with computers, allowing users to send and receive text messages on a PC. So, if that PC were to contain spyware, it would also give the attacker access to text messages.

On-Device Prompt with an Authentication App

Another common method used to receive an MFA code is using an authentication app on a mobile device. This eliminates the problem that text messages have with security. It’s more secure than SMS and slightly less than the security key, with between 90% to 100% effectiveness at blocking account attacks.

Security Level: Mid-range

Authentication apps are still fairly convenient, but they do require an additional step to set them up so they can be used for MFA with all your accounts.

Security Key

Purchasing a security key device (like YubiKey or Thetis) is the most secure way to receive your MFA code. It’s not tied to a mobile number or mobile device that could be breached. Instead, the user uses a small device, about the size of a USB drive or smaller. That security key is then inserted into a computer or mobile device to authenticate the MFA code.

Security Level: Highest of the three methods

Two of the drawbacks of using a security key include the cost (you have to purchase them) and the fact that they are small and easy for someone to lose. But if you have a good training program for employees and procedures in place for lost keys, this will give you the highest level of account protection.

What Else Should You Consider When Implementing MFA?

Using a Password Manager & MFA

A great way to keep your passwords as secure as possible is to use the combination of a password managerand MFA. This way you can ensure users have unique, difficult passwords for all logins and that those logins are secured with multi-factor authentication.

Take Convenience Into Consideration

Security is one consideration when choosing a method for MFA, but user convenience is another important one. If you choose a cumbersome method, users will complain, and productivity will drop. A method that’s fluid and easy will enhance security without slowing people down.

Is Your Cybersecurity Ready for 2021’s New Cyber Threats?

Quantum PC Services can help your Sturgeon Bay area business implement multi-factor authentication and other important security steps to keep you safe from a costly account breach.

Contact us today to learn more! Call 920-256-1214 or reach us online.