MFA methods explained: which multi-factor authentication is most secure?

Multi-factor authentication (MFA) means proving who you are with more than just a password, typically something you know plus something you have or are. But not all MFA is equal. The most secure methods today are phishing-resistant ones: passkeys and hardware security keys built on the FIDO2/WebAuthn standard. At the other end, SMS and email codes are far better than nothing but the weakest common option, because they can be intercepted, SIM-swapped, or phished in real time. If you want the short version: prefer passkeys and hardware keys, use authenticator apps as a strong middle ground, and treat SMS as a fallback, not a foundation.

The reason the method matters so much is that attackers have largely shifted from guessing passwords to stealing second factors. A phishing site that asks for your one-time code can simply relay it to the real service within seconds. Understanding which factors resist that attack, and which don't, is the single most useful thing a business can know about MFA.

SMS and email one-time codes

This is the MFA most people meet first: a six-digit code texted or emailed to you. It's popular because it works on any phone and requires nothing to install.

It's also the weakest widely used factor:

• Phishable. A fake login page can ask for the code and replay it instantly to the real site.
• SIM swapping. An attacker who convinces a carrier to move your number to their SIM receives your codes.
• Interception. SMS travels over infrastructure that was never designed to be confidential.

Email codes share the phishing weakness and add another problem: if the email account itself isn't strongly protected, you've anchored your "second factor" to a target attackers already love. Use these only when nothing better is available, for example on legacy systems, and plan to move off them.

Authenticator apps (TOTP)

Authenticator apps generate a time-based one-time password (TOTP): a code that rotates every 30 seconds, computed on your device from a shared secret. Because the code is generated locally, there's no SMS to intercept or SIM to swap.

This is a meaningful step up and a sensible baseline for most businesses. The remaining weakness is that TOTP is still phishable: the rotating code is just characters a user can be tricked into typing into a fake site, which an attacker then relays. It raises the bar significantly without eliminating real-time phishing.

Push-based approval

Push MFA sends a "was this you?" prompt to an app on your phone; you tap approve. It's smoother than typing codes and removes the SMS interception risk.

Its weakness is human: MFA fatigue (or "push bombing"), where an attacker who already has the password floods someone with prompts until they tap approve out of habit or annoyance. The mitigation is number matching, where the login screen shows a number the user must enter into the prompt, which makes blind approval much harder. Push with number matching is a solid option; push without it should be treated with caution.

Hardware security keys

A hardware security key is a small physical device (often USB or NFC) that authenticates using the FIDO2/WebAuthn standard. Crucially, the key performs a cryptographic handshake that is bound to the real website's domain. If you're on a phishing site, the key simply won't respond. There's no code to read aloud or paste, so there's nothing for an attacker to relay.

That property is why hardware keys are considered the gold standard for phishing resistance:

• Phishing-resistant by design. Domain binding defeats real-time relay attacks.
• No shared secret to steal. The private key never leaves the device.
• Great for high-value accounts. Admins, finance, and anyone with broad access benefit most.

The tradeoffs are practical: keys cost money, can be lost (so you need backups and recovery), and require devices that accept them. For your most sensitive roles, they're worth it.

Passkeys

Passkeys bring that same phishing-resistant FIDO2/WebAuthn cryptography to the devices people already own. A passkey is a cryptographic credential stored on your phone or laptop and unlocked with a fingerprint, face, or PIN. Like a hardware key, it's bound to the legitimate site's domain, so it can't be phished, but there's no separate gadget to carry, and many passkeys sync securely across a user's devices.

Passkeys are also the leading form of passwordless sign-in: because the credential is both factors at once (something you have, the device, plus something you are or know to unlock it), they can replace the password entirely rather than sit on top of it. For most businesses, passkeys are the best balance of strong security and everyday usability available today.

What to roll out, and step-up authentication

You don't have to pick one method for everyone. A practical, layered plan looks like this:

• Set a strong baseline. Require at least an authenticator app or push with number matching for all users. Retire SMS except as an emergency fallback.
• Push toward phishing resistance. Move people to passkeys where you can, and issue hardware keys to administrators and other high-privilege roles.
• Use step-up authentication. Don't force the strongest factor on every click. Require an extra, stronger check only for sensitive actions: accessing financial data, changing access policies, or signing in from an unfamiliar location. This keeps everyday work smooth while putting the heaviest protection exactly where the risk is.

The biggest gains come less from any single method than from consistency: MFA only protects you where it's actually enforced. The legacy tool without it, the admin panel someone forgot, the shared login that bypasses it: those gaps are where attackers go. Enforcing MFA at a central identity layer, rather than app by app, is what makes coverage the default instead of a checklist you maintain by hand. That's also the heart of a zero-trust approach: verify every access attempt rather than trusting the network it came from.

Where Clavkey fits

Clavkey enforces MFA at the point everyone signs in, so coverage isn't something you reconfigure for each application. It supports authenticator apps, passkeys, and hardware security keys, and lets you apply step-up authentication for sensitive systems and actions, all governed from one console. If your MFA today is a patchwork of per-app settings with a few uncomfortable gaps, talk to us and we'll help you map a phishing-resistant rollout that fits how your team actually works.