Back to Blog
2026-05-056 min read
Technology

MFA Beyond the Basics: Why Not All Multi-Factor Authentication Is Equal

Learn why SMS-based MFA is no longer enough and how to choose the right multi-factor authentication methods to protect your business.

Sean P. Conroy

If you've deployed multi-factor authentication across your organization, congratulations, you've taken one of the most impactful steps in cybersecurity. But if you stopped at SMS text codes, you've only gotten halfway there.

Not all MFA is created equal. The method you choose determines how well it actually protects your accounts, and some methods that felt secure a few years ago are now routinely bypassed by attackers.

Key insight: MFA is still one of the best defenses you can deploy, but the type of MFA matters enormously. SMS-based codes are the weakest option still in widespread use, and attackers have developed reliable techniques to defeat them.

Here's what you need to know about MFA methods and what your organization should be using.

The MFA Hierarchy

Think of MFA methods as a spectrum from weakest to strongest. Each step up significantly reduces your risk of compromise.

4SMS Text Codes (Weakest)

  • Vulnerable to SIM swapping attacks
  • Can be intercepted through SS7 exploits
  • Susceptible to social engineering at carriers
  • Better than nothing, but barely

3Authenticator Apps (Good)

  • Google Authenticator, Microsoft Authenticator, Duo
  • Codes generated locally on your device
  • Not vulnerable to SIM swapping
  • Still susceptible to real-time phishing attacks

2Push Notifications (Better)

  • Approve/deny prompts on your phone
  • Number matching adds an extra verification layer
  • More convenient than typing codes
  • Vulnerable to MFA fatigue attacks (see below)

1Hardware Keys and Passkeys (Strongest)

  • YubiKeys, FIDO2 security keys
  • Phishing-resistant by design
  • Cannot be intercepted or spoofed remotely
  • Passkeys offer similar protection without physical hardware

The MFA Fatigue Attack: What Executives Need to Know

One of the most concerning developments in recent years is the MFA fatigue attack. Here's how it works:

  1. An attacker obtains a valid username and password (often from a previous breach)
  2. They attempt to log in, triggering an MFA push notification to the employee's phone
  3. The employee denies it. The attacker tries again. And again. And again.
  4. After receiving dozens of prompts at 2 AM, the exhausted or frustrated employee finally taps "Approve" just to make it stop

This isn't theoretical. MFA fatigue attacks have been used in high-profile breaches at major companies. The fix is straightforward: require number matching on push notifications. Instead of a simple approve/deny button, the employee must enter a number displayed on the login screen. This prevents blind approval.

If You Use Push-Based MFA

Enable number matching immediately. Also configure rate limiting so that repeated MFA prompts trigger an alert to your security team rather than bombarding the employee. Most major MFA providers support both features, make sure they're turned on.

What Executives Should Mandate

You don't need to understand the cryptographic details. You need to make three decisions:

First, mandate MFA everywhere. No exceptions. If a system doesn't support MFA, that's a risk that needs to be documented, and you should evaluate whether that system should remain in your environment.

Second, move beyond SMS. Authenticator apps should be your minimum standard. For high-value targets, executives, finance team, IT administrators, require hardware keys or passkeys.

Third, require phishing-resistant MFA for privileged accounts. Admin accounts, financial systems, and any account with access to sensitive data should use FIDO2 security keys or passkeys. These methods are immune to phishing because they cryptographically verify the website you're logging into, preventing credential interception.

Data point: Organizations using phishing-resistant MFA (hardware keys or passkeys) report zero successful account takeovers from phishing attacks. The technology eliminates the attack vector entirely. -Google Security Blog

The Passkey Opportunity

Passkeys are the newest addition to the MFA hierarchy, and they deserve your attention. Built on the same FIDO2 standard as hardware security keys, passkeys provide phishing-resistant authentication without requiring employees to carry a physical device.

Passkeys work through your phone's biometrics (fingerprint or face recognition) and sync across devices. They're supported by Apple, Google, and Microsoft, and adoption is growing rapidly.

For SMBs, passkeys represent an opportunity to deploy enterprise-grade authentication without the cost and logistics of distributing hardware keys to every employee. Ask your IT team whether your critical applications support passkeys today, and build a migration plan for the ones that do.

Key Takeaways

  • SMS codes are the weakest MFA, Upgrade to authenticator apps at minimum
  • MFA fatigue is a real threat, Enable number matching on all push-based MFA
  • Privileged accounts need phishing-resistant MFA, Hardware keys or passkeys for executives, IT admins, and finance
  • Passkeys are the future, Start evaluating passkey support across your critical applications
  • Any MFA is better than no MFA, But don't let "good enough" stop you from getting to "great"

For more on rolling out stronger authentication without disrupting productivity, see Cybersecurity for CEOs.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.