MFA (multi-factor authentication)or2FA (two-factor authentication)is a security procedure that requires users to log in usingmore than just a username and password.
- 2FA means that two factors from different categories, such as:
- Knowledge– something you know (e.g., password, PIN)
- Possession– something you have (e.g., smartphone app, hardware token)
- Biometrics– something that defines who you are (e.g., fingerprints, facial recognition)
- MFAis an umbrella term and can combinetwo or more factors.
In short:
MFA/2FA enhances account security by requiring an additional form of identity verification (e.g., SMS code, authenticator app, fingerprint) in addition to the password.
Common apps include: Microsoft Authenticator, Google Authenticator, or DUO Mobile.
However, there are significant differences in security. Just because a second factor is used does not mean you are automatically protected, as the type of factor used is no small matter.
🔑 1.Enter code
a)SMS code (one-time password, OTP via SMS)
- Process:Server generates a 6-digit code → sends it via text message → User enters it.
- Safety considerations:
- ✅ Simple and widely used
- ❌Vulnerable to SIM swapping / SMS interception
- ❌ Codes arestatic for a short period of time(e.g., 30–60 seconds) → Risk of phishing
- ❌ SMS messages are oftennot end-to-end encrypted
➡️Vulnerable to social engineering and cyberattacks
b)TOTP code (Time-based One-Time Password, e.g., Google Authenticator)
- Process:The key is stored locally in the app → The app generates a new code every 30 seconds → The user enters it.
- Safety considerations:
- ✅ No SMS channel, so it'sresistant to SIM swapping
- ✅ Worksoffline(no internet connection required)
- ❌Vulnerable to phishing(an attacker can intercept the code and use it immediately)
- ❌ If malware is present on the device, the secret key can be read
➡️Better than text messages, but not immune to phishing
📲 2.Push Token / Push Confirmation
a)Push app (e.g., Microsoft Authenticator, Duo, Okta)
- Process:The server sends asigned requestto the app → The user confirms (Approve/Deny) or uses biometric authentication.
- Safety considerations:
- ✅No manual entry→ prevents phishing attacks on codes
- ✅ Connection is usuallyTLS-secured and cryptographically signed
- ✅ Can incorporatebiometric factors(Face ID, fingerprint)
- ❌Push bombing attacksare possible (an attacker sends a large number of requests, and the user accidentally clicks "Approve")
- ❌ Depends on an internet connection and the app's integrity
➡️Greater security than TOTP, especially when combined with biometrics and "number matching"
🛡️ 3.Hardware-based tokens (e.g., FIDO2 / YubiKey)
- Process:The token performsa cryptographic challenge-response signature, usually via USB or NFC.
- Safety considerations:
- ✅Highly resistant to phishing(links login to the genuine domain)
- ✅ No codes or push notifications → nothing to intercept
- ✅ No reliance on the internet or mobile networks
- ❌ Higher acquisition and administrative costs
➡️Maximum security, especially for critical accounts
⚖️Comparison Chart
| Method | Phishing-resistant | Protection against SIM swaps | User-friendly | Internet required |
|---|---|---|---|---|
| SMS code | ❌ Low | ❌ Weak | ✅ High | 📶 Yes |
| TOTP (app code) | ❌ Medium | ✅ Good | ⚖️ Medium | ❌ No |
| Push app | ⚖️ Better | ✅ Good | ✅ High | 📶 Yes |
| Hardware token (FIDO2) | ✅ Very high | ✅ Excellent | ⚖️ Medium | ❌ No |
💡Conclusion:
- Push tokens with biometric authenticationoffer greater protection than code-only authentication (especially against phishing).
- FIDO2/hardware tokensare the most secure because they cryptographically verify the authenticity of the domain.
- SMS codesare now considered insecure and should only be used as a last-resort MFA option.
Disclosure: Parts of my blog are written with the help of AI, and I have reviewed and edited the content.