5 Types of Multi-Factor Authentication (MFA) Explained

The threat landscape is morphing every day, and the average data breach is more expensive than ever—it grew by 10% to $4.88 million in 2024, according to IBM—and compromised user credentials are now the leading cause of enterprise security breaches. The good news for security and operations teams is that there is a critical tactic that reduces the likelihood of your users' accounts being compromised by nearly 99%, and it should be part of your cybersecurity strategy. 

It's called multi-factor authentication (MFA). 

MFA is invaluable for organizations that want to shrink their attack surface by safeguarding user credentials effectively by up to 98.56%, according to researchers at Microsoft. The result is stronger security, improved productivity, a reduced IT workload, and greater compliance with industry standards. MFA provides value as an extra layer of cybersecurity for a company's entire operations. 

Here's a look at the most common types of multi-factor authentication so that you can choose one that fits your operations and strengthens your cybersecurity posture.

How Does Multi-Factor Authentication Work? 

MFA combines a series of criteria to verify a user's identity. We'll break those down later, but these descriptions will get you started: 

• Something you know, such as a PIN number, security question, or password.
• Something you have, such as a device, smart card, or hardware key.
• Something you are, such as a fingerprint, facial recognition, or retinal scan. 
• Something else, such as typing patterns, IP address, or location.

MFA uses one or more of the components in these categories to provide an added defense to your network. Attackers can't access your system with social engineering or brute force attacks when they need more than your password to get into it. Bad actors goofing off at home can hack passwords easily, but they'll struggle to replicate your fingerprints or steal your tokens. 

5 Types of Multi-Factor Authentication

Using the "Four Somethings" list means you have choices for authenticating a user's identity. When you know what's out there, you can compare your choices and pick the one that fits your business processes.

The main factors to consider when deciding on the best types of MFA for your business are implementation and application. It's also important to factor in the strengths and weaknesses of each. Here's a breakdown of the most common MFA options.

1. SMS/Email

Chances are, you've used one of these MFA methods before. SMS and email are the most popular types of multi-factor authentication around, as they're notoriously simple and cost-effective. 

• How it works: Both work by sending a time-sensitive passcode to your device, either via email or SMS message. The user must then access the passcode in their text messages or emails and enter it within the specified time to access their account. An attacker would need to enter the password and SMS/Email passcode to overcome this extra security measure, making accounts that much harder to breach.
• Pros and Cons: Customers and organizations prefer the simplicity of SMS and email-based MFA, as there's no need for an authenticator, hardware, or app. The downside is that SMS and email-based MFA provide the least degree of security. For example, SMS messages can be cloned or hijacked by replacing a phone's SIM card, and email-based passcodes can be overcome with brute-force attacks, just like a password.
• Use cases: Companies looking to bolster their cybersecurity with a simple solution are the most likely to use SMS and email-based MFA. That includes e-commerce stores and less sensitive digital assets.

Researchers at Google conducted a study showing that SMS-based MFA helped block 70–100% of unauthorized login attempts, depending on the type of cyberattack. While this option can significantly strengthen your cyber defenses, it can still be breached. 

2. Authenticators 

While SMS and email-based MFA works by sending a passcode to your device, authenticators and push-button notifications send similar messages to your apps. The most common authenticators are Google Authenticator and Microsoft Authenticator, both of which can be downloaded for free on their respective app stores. Apple Authenticator is built into most newer devices, eliminating the need to download a specific app.

• How it works: First, users download the authenticator app onto their device. With each login attempt, the app will display a push-button notification. After opening the app, the user must verify their identity by entering a passcode or with a biometric scan.
• Pros and Cons: Users can often download authenticators for free, making them cost-effective MFA options. While the defense rate for this MFA can be high for certain cyber attacks, the extra steps can create MFA fatigue and dampen the user experience.
• Use cases: Companies with medium-level security needs, such as those in the finance, education, and social media sectors, often use authenticators in their login processes. 

Despite their relatively high degree of security, the MFA fatigue that authenticators may cause can prove a liability. In 2022, an 18-year-old cybercriminal conducted an MFA fatigue attack on Uber by bombarding an employee's account with notifications until the employee eventually tapped "Approve" out of frustration. Companies should simplify authenticators by using rolling codes instead of notifications to avoid wearing down users with excess alerts.

3. Biometrics

Biometrics recognizes your identity by information that's unique to your body. Though it may be secure, there are concerns about it. 

• How it works: Biometrics employs advanced technology to scan bodily features such as fingerprints, retinas, face, or voice. There's also the option to leverage behavioral biometrics, which analyzes unique patterns in user actions like typing rhythm or mouse movements for continuous authentication.
• Pros and Cons: Biometric features are very difficult to duplicate, making them a highly secure MFA option. However, it's possible to hijack fingerprints through latent fingerprinting or fake other biometrics with high-definition images that duplicate facial features with enough accuracy to breach an account.
• Use cases: Organizations with highly sensitive data commonly use biometrics, like government agencies and large enterprises. The technology is commonplace nowadays, with usage spreading to include many smartphones.  

Some users may feel uncomfortable sharing such personal data, highlighting ethics and privacy concerns that are a biometrics drawback. This technology is often better suited for higher-level members of your privileged access management (PAM) or privileged identity management (PIM) system, such as admins or executives. And because the technology can be challenging to implement, you'll need a comprehensive Zero Trust PAM platform to support it.

4. Security keys

A security token is a type of "Something you have" MFA. They involve some form of hardware, such as a YubiKey or SecurID, which are some of the most robust options.

• How it works: After entering their password, users must insert their key into a system that reads the digital code inside the hardware. Without the key, neither they nor an attacker can log in.
• Pros and Cons: Security keys are one of the most secure MFA options available, and because they're physical devices, they can authenticate you even if you're offline. However, users who lose them will be locked out of their system until IT issues a replacement.
• Use cases: Organizations with highly sensitive data, such as those in the healthcare, government, or defense sectors, may use security keys. 

The Google study mentioned above found that security keys had a 100% success rate in guarding against phishing, targeted, and automated bot cyberattacks. As with all keys, an attacker can attempt to steal or otherwise gain them from an employee.

5. Digital certificates

Digital certificates are also a "Something you have" MFA method, but they're intangible tokens. They're also ranked among the most secure MFA options, but the implementation is complex and challenging. 

• How it works: A Certificate Authority (CA) issues a digital certificate via cryptography to a user when they attempt to log in. The certificate contains essential information such as the beginning and end date of validity, and the user must digitally "sign" the certificate using a private key and send it back to the CA for approval.
• Pros and Cons: The certificates' beginning and expiration dates allow companies to grant users access for a set time. It's an effective solution for temporary workers, such as freelancers and contractors, but it takes ongoing oversight to revoke or extend them as needed. 
• Use cases: Large enterprises are the most common certificate users.

As with the other more advanced MFA methods, digital certificates can require more technology and other third-party tools to implement. Manually issuing and revoking all the certificates can be burdensome for your IT staff, but a Zero Trust PAM or PIM platform automates these tasks for your team.

Comparing and Contrasting Different MFA Types

Understanding what each MFA method offers means that you can choose the one that best fits your operations. The main differences to consider are:

• Security Levels: Security keys, digital certificates, and biometrics are typically the most secure MFA methods, while SMS and email-based MFA are the weakest. Authenticator apps fall somewhere in between but are on the stronger end of the spectrum.
• User Experience: SMS and email-based MFA are the most straightforward and user-friendly. Security keys are highly efficient as long as users don't lose them. The UX that authenticator apps offer depends on whether they employ notifications or rolling codes. While biometrics are simple, some users find them invasive.
• Implementation Complexity: Authenticator apps are the simplest to install, with SMS and email-based MFA trailing close behind. Biometric and digital certificate authentication require more advanced technology, and your team will need a way to replace lost or stolen security keys.
• Cost Considerations: Because users can install them for free, authenticator apps are the most cost-effective. SMS and email-based MFA options are mid-range on the cost scale, and biometrics and security keys are more expensive due to the cost of the hardware. 

The MFA method you choose will depend on your needs, but authenticator apps usually offer a good balance of affordability, ease of implementation, and security. The main obstacle is configuring them to cause as little MFA fatigue as possible. 

Choosing the Right MFA for Your Needs

Deciding on an MFA option requires consideration of multiple factors to get the one best suited to your needs. Some of these factors are:

• Security Requirements: The security level of the MFA method you choose should match the sensitivity level of your data.
• Implementation: More complex systems, such as biometrics and digital certificates, may require assistance from a third party. Leverage a PAM platform that's fluent in Zero Trust to get started.
• Industry: The finance and healthcare sectors are governed by specific standards, like the Payment Card Industry Data Security Standard (PCI DSS) and the Healthcare Insurance Portability and Accountability Act (HIPAA). These standards may mandate a particular MFA protocol, so you'll want to follow them carefully and choose a PAM platform that improves compliance.

Another critical factor to assess is whether your preferred MFA methods are compatible with your current tech stack. You can use a Zero Trust PAM platform that supports all MFA methods if your system doesn't meet the requirements. 

Enhance Enterprise Security With MFA

With so many advanced cyber attackers lurking on the threat landscape, a simple password is no longer enough to safeguard your sensitive data. There are many reasons to adopt MFA for your business. It supplements your security by requiring additional information from users upon their access requests—and it significantly reduces your risk of incurring a breach. Several multi-factor authentication methods are available, with varying strengths and weaknesses. Be sure to compare the differences when selecting the best fit for your operations. 

StrongDM's Zero Trust PAM solution lets you use multiple MFA methods to strengthen your cybersecurity. It combines authentication, authorization, and auditing functionalities to create a seamless access management system, improving compliance and productivity simultaneously. 

 Book a demo today to see how StrongDM can drive value for your company.