MFA Methods Compared — SMS, TOTP, Hardware Keys, Passkeys

Not all MFA is created equal. Enabling multi-factor authentication is one of the most important security steps your organisation can take — but the method you choose determines how much protection you actually gain. Some methods are easy to deploy but relatively easy for attackers to bypass. Others are virtually unphishable but require more planning to roll out.

This lesson compares the four most common MFA methods in use today, explains the strengths and weaknesses of each, and helps you decide which approach is right for your organisation’s risk profile and operational reality.

The Four Main MFA Methods

When we talk about a “second factor,” we mean something beyond the password that proves you are who you claim to be. The four methods most commonly deployed in business environments are:

1. SMS codes — a one-time code sent via text message to a registered phone number
2. TOTP (authenticator apps) — a time-based code generated by an app such as Microsoft Authenticator, Google Authenticator, or Authy
3. Hardware security keys — a physical device (such as a YubiKey) that you plug in or tap against your device
4. Passkeys — a newer standard that replaces the password entirely with a cryptographic credential stored on your device

SMS Codes: Better Than Nothing, But Vulnerable

SMS-based MFA sends a one-time code to the user’s phone number. The user types this code into the login screen to complete authentication. It is the oldest and most widely deployed MFA method.

Advantages:

• Almost everyone has a mobile phone capable of receiving SMS
• No app installation or hardware purchase required
• Users are already familiar with receiving codes by text

Weaknesses:

• SIM swapping — an attacker convinces a mobile provider to transfer your phone number to a SIM card they control. They then receive all SMS codes sent to that number. This attack is well-documented and has been used against high-profile targets including cryptocurrency investors, executives, and public figures.
• SS7 interception — the global telephony protocol (SS7) has known vulnerabilities that allow attackers to intercept SMS messages in transit. Nation-state and organised crime groups have exploited this.
• Real-time phishing — sophisticated phishing kits capture the SMS code in real time as the user enters it, relaying it to the attacker who uses it immediately before it expires.

SMS-based MFA is significantly better than no MFA at all. However, both the NCSC and NIST recommend moving away from SMS as a second factor for sensitive systems and high-risk users. For most organisations, SMS should be treated as a transitional step, not the destination.

TOTP (Authenticator Apps): The Practical Middle Ground

Time-based One-Time Passwords (TOTP) are generated by an authenticator app installed on your phone. The app produces a new six-digit code every 30 seconds. Because the code is generated locally on your device — not sent over the mobile network — it cannot be intercepted via SIM swapping or SS7 attacks.

Advantages:

• Eliminates SIM-swap and SMS-interception risks
• Free apps available from Microsoft, Google, and others
• Works without mobile signal or internet on the phone
• Supported by virtually all business cloud services

Weaknesses:

• Still vulnerable to real-time phishing (the user types a code that can be captured and relayed)
• Requires users to install and configure an app
• If the phone is lost without backup codes, recovery can be disruptive

TOTP via an authenticator app is the recommended minimum standard for most organisations. It offers a strong balance of security, cost (free), and usability. Many organisations will find this is the right default for most staff.

Hardware Security Keys: The Strongest Practical Defence

Hardware keys — such as YubiKeys, Google Titan keys, or Feitian keys — are small physical devices that connect to your computer via USB, NFC, or Bluetooth. When you log in, you tap or insert the key to cryptographically prove you possess it. The key uses a protocol called FIDO2/WebAuthn that is fundamentally resistant to phishing.

Advantages:

• Phishing-resistant — the key cryptographically binds to the specific website. Even if a user visits a fake login page, the key will not authenticate to it. This eliminates the single biggest MFA bypass method.
• No codes to type, no app to check — you simply tap the key
• Works across devices and platforms
• Extremely difficult for an attacker to compromise remotely

Weaknesses:

• Hardware cost — typically £20–50 per key, and best practice is two keys per user (one primary, one backup)
• Physical distribution — you need to get the keys to your employees
• Loss and replacement — lost keys need to be replaced and old ones deregistered

Google mandated hardware keys for all 85,000+ employees in 2017. Since then, they have reported zero successful phishing-based account takeovers against employee accounts. Hardware keys are the gold standard for high-risk accounts — administrators, executives, finance, and anyone with access to sensitive data.

Passkeys: The Future of Authentication

Passkeys are the newest MFA method, built on the same FIDO2/WebAuthn standard as hardware keys but stored on your phone, laptop, or tablet instead of a separate physical device. When you log in, your device authenticates you using biometrics (fingerprint, face) or a device PIN, and then cryptographically proves your identity to the website.

Advantages:

• Phishing-resistant — same cryptographic origin binding as hardware keys
• No hardware to purchase — uses the devices staff already carry
• No passwords to remember or type — the passkey replaces the password entirely
• Supported by Apple, Google, and Microsoft across their ecosystems

Weaknesses:

• Adoption is still early — not all business applications support passkeys yet
• Cross-platform sync can be complex in mixed-device environments
• Recovery scenarios (lost device, new device) require planning
• Organisational management tooling is still maturing

Passkeys represent where authentication is heading. For organisations already on Microsoft 365 or Google Workspace, passkey support is available now and worth piloting. However, most organisations will use passkeys alongside other MFA methods rather than as a complete replacement — at least for the next one to two years.

Choosing the Right Method for Your Organisation

There is no single right answer. The best approach for most organisations is a tiered strategy:

• High-risk accounts (admins, executives, finance) — hardware security keys or passkeys (phishing-resistant)
• All other staff — authenticator app (TOTP) as the minimum standard
• SMS — only as a temporary fallback during transition, with a clear plan to move users to TOTP or better

The goal is not perfection on day one. It is to move every account to at least TOTP-level protection as quickly as possible, and to deploy phishing-resistant methods for the accounts that attackers target most.

Why This Matters

Attackers adapt to defences. As more organisations deploy basic MFA, attackers have developed tools to bypass weaker methods — particularly SMS and TOTP — through real-time phishing toolkits like EvilGinx and Modlishka. Choosing the right MFA method is not academic; it directly determines whether a sophisticated phishing campaign succeeds or fails against your organisation.

The method you choose also affects user experience and therefore adoption. An MFA method that is too disruptive will face resistance, workarounds, and exceptions — each of which is a security gap.

What to Do Now

• Inventory which MFA methods are currently enabled across your organisation’s key platforms
• Identify which accounts are protected by SMS-only MFA and plan a migration to TOTP or stronger
• Evaluate hardware security keys for your highest-risk users (administrators, C-suite, finance)
• Check whether your primary platforms (Microsoft 365, Google Workspace) support passkeys and consider a pilot
• Establish a minimum MFA standard in your security policy (recommended: authenticator app or stronger)

Evidence to Collect

• A record of which MFA methods are enabled on each critical platform
• A breakdown of how many users are on SMS vs authenticator app vs hardware key
• Your organisation’s written MFA policy or standard (even a one-page version)
• Any vendor documentation showing platform support for FIDO2/passkeys

Common Mistakes

• Treating all MFA methods as equally secure. SMS-based MFA is dramatically weaker than TOTP, which is in turn weaker than hardware keys or passkeys against phishing. The method matters.
• Deploying SMS MFA and considering the job done. SMS is a starting point, not an endpoint. It is vulnerable to SIM swapping and real-time phishing — the very attacks most likely to target your organisation’s most valuable accounts.
• Ignoring phishing-resistant options for high-risk users. If your CEO, CFO, and domain administrators are protected only by an authenticator app, a sophisticated phishing attack can still succeed. Hardware keys eliminate this risk for a modest cost.
• Waiting for passkeys to be “ready” before doing anything. Passkeys are maturing rapidly, but you should not wait. Deploy TOTP now, plan for passkeys as the next step, and use hardware keys for critical accounts today.

---

Knowledge Check

---