Passwords alone don’t cut it anymore. Over 80% of breaches involve stolen or weak credentials, which is exactly why every major compliance framework — CMMC, NIST 800-171, NIS2 — now requires Multi-Factor Authentication (MFA).
But "enable MFA" isn’t a single decision. There are five mainstream methods, and they vary wildly in security, cost, and how much your team will actually use them.
Here’s the short version:
At a Glance: MFA Methods Compared
| SMS OTP | TOTP | Biometrics | Hardware Keys | Push Notifications | |
|---|---|---|---|---|---|
| Security | Low | Medium | High | Very High | Medium-High |
| Phishing Resistance | None | None | High | Very High | Medium |
| User Experience | Easy | Moderate | Very Easy | Easy (after setup) | Very Easy |
| Setup Cost | Free | Free | Moderate-High | $25–70/key | Low |
| Ongoing Cost | Per-SMS fees | Free | Device-dependent | Replacement keys | App license |
| Offline Capable | No (needs cell signal) | Yes | Yes | Yes | No (needs internet) |
| CMMC / NIST 800-171 | Discouraged | Compliant | Compliant | Compliant | Compliant |
| Best For | Low-risk apps, fallback | General workforce | Mobile/endpoint access | High-security roles, admins | Large user bases |
Now let’s break each one down.
1. SMS-Based Authentication
A one-time passcode sent to your phone via text message. It’s the most familiar MFA method — and the weakest.
How it works: You log in with your password, receive a 6-digit code via SMS, and enter it within a short window.
Why teams still use it: Zero setup friction. Every employee already has a phone number. No apps to install, no hardware to buy.
Why you should move away from it: SMS is vulnerable to SIM swapping (an attacker convinces your carrier to transfer your number), SS7 network interception, and social engineering. NIST has formally discouraged SMS-based authentication since SP 800-63B, and it won’t satisfy CMMC Level 2 assessors looking for phishing-resistant MFA.
Bottom line: Acceptable only as a fallback or for low-sensitivity applications. If you’re protecting CUI or critical infrastructure, SMS alone isn’t enough.
2. Time-Based One-Time Password (TOTP)
A code generated by an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) that refreshes every 30 seconds.
How it works: During setup, the user scans a QR code that shares a secret key with the app. The app then generates time-synced codes — no network connection needed.
Why it’s a solid middle ground: TOTP eliminates the SMS interception problem entirely. Codes are generated locally on the device, work offline, and are compliant with NIST 800-171. Most identity providers support it out of the box.
Where it falls short: TOTP is still susceptible to real-time phishing. If an attacker stands up a convincing login page, a user can be tricked into entering both their password and TOTP code, which the attacker relays to the real site. It also creates a support burden — users lose phones, delete apps, or forget to transfer secrets when switching devices.
Bottom line: A meaningful upgrade over SMS and a practical default for most organizations. Pair it with user training on phishing awareness.
3. Biometric Authentication
Fingerprint scans, facial recognition, or iris scans — using who you are as the second factor.
How it works: The device captures a biometric sample and compares it against a stored template. Modern implementations (Windows Hello, Apple Face ID/Touch ID) store biometric data locally on a secure enclave, never transmitting it to a server.
Why it’s compelling: Nothing to remember, nothing to carry, nothing to lose. Authentication takes under a second. Biometrics are extremely difficult to forge in practice, especially with liveness detection that prevents photo or mold-based attacks.
The tradeoffs: Biometrics can’t be rotated — you can’t change your fingerprint if it’s compromised. Enterprise-wide deployment requires compatible hardware (fingerprint readers, IR cameras), which adds cost. There are also privacy considerations: some employees may resist biometric enrollment, and regulations like GDPR and BIPA impose strict handling requirements.
Bottom line: Excellent for endpoint authentication and mobile access. Best deployed as part of a platform-level solution (e.g., Windows Hello for Business) rather than a standalone system.
4. Hardware Security Keys
Physical devices — typically USB or NFC — that cryptographically prove the user’s identity. YubiKey, Google Titan, and Feitian are the most common brands.
How it works: The key uses public-key cryptography (FIDO2/WebAuthn). During registration, it generates a key pair. During login, the key signs a challenge from the server. The private key never leaves the device.
Why it’s the gold standard: Hardware keys are phishing-proof by design. The cryptographic handshake is bound to the specific domain, so even if a user visits a fake login page, the key won’t respond. They’re also resistant to malware, man-in-the-middle attacks, and credential replay. Google eliminated account takeovers entirely after deploying hardware keys to 85,000+ employees.
The tradeoffs: Cost is $25–70 per key, and you’ll want two per user (one primary, one backup). Lost keys require a recovery process. Some legacy systems and older browsers lack FIDO2 support. In OT/industrial environments, USB ports may be restricted.
Bottom line: The strongest MFA method available today. Prioritize it for administrators, privileged accounts, and anyone accessing sensitive data. For CMMC Level 2 and above, hardware keys provide the clearest path to phishing-resistant MFA.
5. Push Notifications
A prompt sent to a registered mobile app — the user taps "Approve" or "Deny" instead of typing a code.
How it works: When a login attempt occurs, the identity provider sends a push notification to the user’s registered device. The user reviews the request (often with context like location and device info) and approves or denies with a tap.
Why users love it: Fastest user experience of any MFA method. No codes to type, no hardware to carry. Context-rich notifications help users spot unauthorized attempts.
The risk: push fatigue attacks. Attackers who already have a user’s password can spam push requests until the user accidentally (or deliberately, out of frustration) taps "Approve." Microsoft, Uber, and Cisco have all been breached via this technique. Modern implementations mitigate this with number matching (the user must type a number shown on screen) and rate limiting, but adoption of these safeguards is still inconsistent.
Bottom line: A great user experience when combined with number matching and anomaly detection. Without those safeguards, push notifications create a false sense of security.
Which Method Should You Choose?
There’s no single right answer — most organizations should layer methods based on risk.
Start here:
- All users, minimum baseline → TOTP via authenticator app. It’s free, compliant, and works everywhere.
- Admins, privileged accounts, CUI access → Hardware security keys. Phishing resistance matters most where the blast radius is highest.
- Mobile-first or frontline workers → Push notifications with number matching, or biometrics if devices support it.
- Legacy fallback only → SMS. Keep it available for account recovery, but don’t rely on it as a primary method.
For compliance:
- CMMC Level 2+ requires MFA for all CUI access. Phishing-resistant methods (hardware keys, device-bound biometrics) will give you the strongest assessment posture.
- NIST 800-171 (3.5.3) mandates MFA for both local and network access. TOTP and above all satisfy this control.
- NIS2 emphasizes strong authentication for critical infrastructure operators — hardware keys and biometrics align best.
The most secure MFA is the one your team will actually use. Pick the strongest method your users will adopt consistently, then layer up for high-risk roles.
