What form of MFA Is The Best?

2FA / MFA Issues

With a lot of business processes now largely cloud-based, compromised passwords are the quickest and easiest way for bad guys to exploit computer systems. So how can you protect your online and offline accounts and data? The best way is with multi-factor authentication (MFA). See our blog article on Why Multi-Factor Authentication is Important. 

Also know as 2 Factor Authentication, MFA provides two barriers to access an account – both the password and a second authentication step. So even if the cybercriminals have your username and password they can’t login as they most likely will not have access to the device that receives the MFA code to complete 2nd authentication step.

What Types of MFA Are There?

Currently there is 3 type of methods to use for MFA: SMS, an app on your phone and a hardware security key. Before you implement multi-factor authentication, it is important to compare these three main methods of MFA and not just assume they are all the same.

1) SMS

This is the form that most people are familiar with and uses test or SMS messages on your phone.  Users will normally enter their mobile number when setting up MFA. Then, whenever they log into their account, they will receive a text message with a time-sensitive code that must be entered to gain access to that account.

This method is the simplest but also the most insecure as it is relatively easy to transfer a test message to another phone.

2) Mobile Application

Another type of multi-factor authentication will use a special application on your mobile phone or computer to provide the code. The user still generates the MFA code at login, but rather than receiving the code via SMS, it is synchronised with an app.

This is usually done via a push notification, and some of the applications typically used for this are MS Authenticator and Google Authenticator.

3) Hardware Security Key

The third method involves using a separate hardware based security key that you can plug into a PC or mobile device to authenticate the login. The key itself is purchased at the time the MFA solution is set up and will be the device that receives the authentication code and automatically authenticates.

The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system.

What Are The Differences Between These Methods?

Often users may feel that MFA is slowing them down and / or they complain about having to learn a new app or trying to not to lose the hardware security key. This “inconvenience” causes some companies to not use MFA, which leaves their accounts less protected.

If you face user pushback, don’t abandon your MFA plans. Instead use SMS-based MFA as it is the most convenient form and the vast majority of people are already used to getting text messages on their phones (thus there are no new interfaces to learn and no app to install).

While SMS’s are the least secure method for MFA (as phones can be cloned and SMS’s hacked), using SMS’s is better and more secure than not using any MFA method at all. Thus, we highly recommend everyone uses SMS’s at the very least.

If you are looking for the most secure form of MFA then the security key is the way to go.

The MFA mobile app is in between these two methods in terms of security. Using an MFA application that delivers the code via push notification is more secure than the SMS-based MFA. It is also more convenient than needing to carry around a separate security key that could quickly become lost or misplaced.

A recent Google study looked at the effectiveness of these three methods of MFA at blocking three different types of attacks. Overall, the security key was the most secure, followed by the app and then SMS’s. The percentage of attacks blocked by each method were:

  • SMS-based MFA blocked between 76 – 100%.
  • The on-device app blocked between 90 – 100%.
  • A security key blocked 100% of all three attack types.

Do you Need Help Implementing MFA At Your Company?

In today’s environment, multi-factor authentication is a “must-have” solution to help keep your accounts secure. If you need assistance, contact us to discuss your pain points and come up with a solution to help keep your cloud environment safe and secure?