N2CON TECHNOLOGY
Open menu

MFA Types Compared: TOTP, Push, SMS, Hardware Keys, and More

Not all MFA is equal. Some methods resist phishing attacks; others are trivial to bypass. This guide compares the six main authentication approaches ranked by security strength, so you can match the right method to each user group.

Note: This is general information and not legal advice.

Last reviewed: March 2026
On this page

Executive Summary

What this comparison covers
The six most common MFA methods, ranked by phishing resistance, usability, and cost per user. Includes hardware keys, number-matched push, TOTP apps, basic push, SMS, and email-based MFA.
Why method choice matters
  • Phishing-resistant methods (hardware keys, number-matched push) protect against the most common attack vector.
  • Non-phishing-resistant methods (TOTP, SMS) can be defeated by real-time phishing and interception.
  • The right mix depends on user risk level, not a one-size-fits-all deployment.
  • Cyber insurance underwriters increasingly expect phishing-resistant MFA for privileged accounts.
Decision framework
  • Privileged accounts (admins, executives, finance): hardware keys primary, number-matched push backup.
  • General staff and contractors: number-matched push primary, TOTP fallback.
  • Break-glass scenarios: SMS only as a last resort; spare hardware keys in a physical safe.
  • Avoid email-based MFA and unverified passkeys for any production use.
How N2CON helps
  • Assess your identity platform capabilities and map MFA methods to user risk tiers.
  • Roll out phishing-resistant MFA across your environment without disrupting operations.
  • Align your MFA program with Conditional Access and identity governance.

Quick Comparison

Method Security Phishing Resistant Cost/User Best For
Hardware Security Keys Highest $20-50 Admins, executives, finance
Number-Matched Push High Free* General staff, contractors
TOTP Authenticator Apps Medium Free Fallback, BYOD scenarios
Basic Push Notifications Medium Free* Not recommended for new deployments
SMS/Phone Call Low Free Break-glass only, rare edge cases
Email MFA Lowest Free Not recommended

* Requires identity platform subscription (Microsoft Entra ID, Okta, etc.)

Tiered Recommendations

Privileged Accounts

Admins, executives, finance, security teams

  • Primary: Hardware security keys
  • Backup: Number-matched push

General Staff

Regular employees, contractors, remote workers

  • Primary: Number-matched push
  • Backup: TOTP authenticator app

Break-Glass

Emergency access, locked-out scenarios

  • SMS: Only for emergencies
  • Hardware: Spare keys in physical safe

Method Details

Hardware Security Keys

FIDO2 / WebAuthn

Physical USB or NFC devices that perform cryptographic authentication within the key itself. No secrets leave the hardware, and the key verifies the domain before responding.

Strengths

  • Phishing-proof by design
  • No battery or network needed
  • Resists cloning
  • Verifies domain binding

Considerations

  • $20-50 per user cost
  • Can be lost or broken
  • Requires USB/NFC port
  • Backup method needed

Number-Matched Push

Phishing-Resistant Mobile MFA

The user matches a number displayed on the login screen with the number shown in their phone app. This proves they can see both devices and are not being phished through a proxy site.

Strengths

  • Phishing-resistant
  • No cost per user
  • Works with existing phones
  • Familiar user experience

Considerations

  • Requires mobile network
  • Phone can be stolen
  • App installation needed
  • Platform-dependent

TOTP Authenticator Apps

Microsoft Authenticator, Google, Authy

Time-based codes generated every 30 seconds from a shared secret. Works offline but is vulnerable to real-time phishing, adversary-in-the-middle attacks, and secret extraction.

Strengths

  • Works without connectivity
  • Free apps available
  • Cross-platform support
  • Widely understood

Considerations

  • Not phishing-resistant
  • Codes can be stolen
  • Time sync required
  • Secret storage risks

SMS and Phone Calls

Use Sparingly

Codes sent via text message or automated phone call. Convenient but highly vulnerable to SIM swapping, SS7 protocol attacks, and social engineering of mobile carriers.

NIST SP 800-63B recommendation: Avoid SMS for sensitive accounts. Reserve for break-glass scenarios only.

Strengths

  • No app installation
  • Familiar to users
  • Works on basic phones
  • Emergency fallback

Vulnerabilities

  • SIM swapping attacks
  • SS7 interception
  • Social engineering
  • Real-time phishing

Methods to Avoid

Email-Based MFA

If your email is compromised, MFA via email offers no additional protection. It creates a circular dependency where the same credential protects itself.

Basic (Non-Number-Matched) Push

Standard push notifications that only require tapping "approve" without number matching are vulnerable to MFA fatigue attacks. An attacker can spam approval requests until the user accidentally accepts one.

Why Phishing Resistance Matters

Phishing is the most common initial access vector for breaches. When an attacker tricks a user into entering credentials on a fake login page, non-phishing-resistant MFA methods can still be defeated:

  • TOTP: The user enters the real TOTP code on the fake site, which the attacker forwards to the real login.
  • Basic push: The attacker triggers a push notification during the fake login, and the user approves it thinking it is a legitimate prompt.
  • SMS: The attacker forwards the SMS code to the real login in real time.

Hardware keys and number-matched push defeat this pattern because they bind the authentication to the specific domain. The key will not respond to a fake site, and the number match proves the user sees the real login page. This distinction is what NIST SP 800-63B and cyber insurance underwriters care about.

Red Flags in MFA Deployment

SMS as primary method

No backup methods configured

Same method for all users

No help desk training

Key Takeaways

1

Tier your approach

Hardware keys for privileged accounts. Number-matched push for general staff. SMS only for break-glass.

2

Phishing resistance matters

Number-matched push and hardware keys verify the user sees the real login page, defeating phishing sites.

3

Always have a backup

Users will lose keys, break phones, and travel internationally. Plan for recovery before you need it.

MFA is not a checkbox. It is a security control that varies dramatically in effectiveness depending on which method you choose and how you deploy it. The right mix depends on your risk profile, user base, and identity platform capabilities. Start with phishing-resistant methods for your highest-risk accounts and build outward from there.

Deployment Considerations

Choosing the right MFA method is only half the challenge. How you roll it out determines whether users adopt it or find ways to bypass it. A poorly planned deployment can create more risk than it removes. The most common failure is mandatory MFA enforcement without adequate user preparation, leading to helpdesk overload and users sharing MFA codes as a workaround.

  • Communicate before you enforce. Tell users what is changing, why it matters, and what they need to do. Give them at least a week to register their MFA method before enforcement begins. Users who are surprised by mandatory MFA on login day will flood the helpdesk.
  • Start with IT and admins first. If your own team has not enrolled in MFA, you cannot credibly ask the rest of the organization to do it. Admin accounts should be the first to get hardware keys and number-matched push.
  • Plan for lost and locked-out devices. Users will lose phones, break hardware keys, and travel to places without cell service. Establish a helpdesk process for MFA reset and recovery before you need it. Keep spare hardware keys in a physical safe for break-glass scenarios.
  • Train helpdesk staff on MFA support. Helpdesk agents are the first line of support when users get locked out. They need to understand the difference between MFA methods, know how to verify identity before resetting MFA, and recognize social engineering attempts targeting the helpdesk.
  • Monitor adoption and exceptions. Track which users have enrolled and which have not. Follow up with non-compliant users before their grace period expires. Document and time-limit any exceptions, and review them regularly.
  • Provide clear documentation. Give users a one-page guide showing how to set up each supported MFA method, what to do if they lose their device, and how to contact the helpdesk. Keep this documentation in a place users can find without asking.

Compliance and Insurance Expectations

MFA requirements have moved from "recommended" to "expected" across most compliance frameworks and insurance carriers. Understanding what your auditors and underwriters look for helps you deploy MFA that satisfies requirements without over-investing.

  • Cyber insurance: most carriers now require MFA for email and remote access at minimum. Some require phishing-resistant MFA for privileged accounts. Failure to enforce MFA can result in denied claims or higher premiums.
  • NIST SP 800-63B: recommends against SMS-based OTP for sensitive accounts and encourages phishing-resistant authenticators. NIST 800-171 and CMMC require MFA for all users accessing CUI.
  • SOC 2 and ISO 27001: expect MFA as part of access control requirements. Auditors look for evidence that MFA is enforced, not just available.
  • HIPAA and PCI DSS: require multi-factor authentication for remote access to systems containing protected data. PCI DSS v4.0 specifically mandates MFA for all access to the cardholder data environment.

Common Questions

What is the most secure type of MFA?

Hardware security keys (FIDO2/WebAuthn) and phishing-resistant methods like number-matched push notifications are the strongest options. They resist phishing, man-in-the-middle attacks, and credential theft better than SMS or basic TOTP codes.

Why is SMS-based MFA considered weak?

SMS codes can be intercepted through SIM swapping, SS7 protocol attacks, or social engineering of mobile carriers. They are also vulnerable to real-time phishing sites that trick users into entering the code on a fake login page.

What is TOTP and how is it different from push notifications?

TOTP (Time-based One-Time Password) generates codes locally on the device using a shared secret and current time. Push notifications send an approval request from the server to the device. TOTP works offline; push requires network connectivity and a registered device.

Are hardware security keys worth the cost?

For privileged accounts like admins, executives, and finance staff, the $20-50 per-user cost is justified by the phishing resistance. For general staff, number-matched push provides similar phishing protection without hardware costs if your identity platform supports it.

Should employees use personal phones for MFA?

Requiring personal devices for work MFA raises privacy and fairness concerns. Offer company-managed options like hardware keys or managed devices alongside personal-device methods, and document what data the MFA app can access.

Related resources

Sources & References

Need help choosing the right MFA mix for your environment?

We can assess your risk profile, user base, and compliance needs to recommend the right combination of MFA methods.

Contact N2CON