Why this matters
Multi-factor authentication is the single most effective protection against account takeovers. Studies from Google and Microsoft confirm: MFA prevents more than 99% of automated attacks. But not all MFA methods are equally strong.
The uncomfortable truth: SMS OTP is weak MFA. SIM-swapping attacks, SS7 protocol vulnerabilities, and real-time phishing proxies make SMS codes the least secure second factor. Yet many organisations use SMS because it is simple to implement.
The security spectrum looks like this: SMS < email OTP < TOTP (authenticator app) < push notifications (with number matching) < hardware tokens < FIDO2/Passkeys. Phishing-resistant MFA starts at FIDO2.
How to do it right
Enable passkeys wherever possible
Google, Apple, Microsoft, and many other services support passkeys. Enable these first — they are phishing-resistant by design, as the cryptographic key is bound to the domain.
If no passkey: hardware token
YubiKey (5 Series) or Google Titan Key provide FIDO2 protection at hardware level. For privileged accounts (admin, finance, management), hardware tokens are the best option.
If no hardware token: authenticator app
Microsoft Authenticator, Google Authenticator, or Authy generate TOTP codes locally on your device — better than SMS. Important: store backup codes securely.
Enable number matching for push MFA
If you use push notifications (Microsoft Authenticator, Duo): enable number matching. The app shows a number that the user must type from the login screen — preventing blind MFA fatigue attacks.
Migrate SMS MFA gradually
Systematically migrate SMS MFA users to authenticator apps. Create a simple step-by-step guide and communicate the change in advance.
Secure recovery options
Print backup codes for every MFA-protected service and store them physically in a secure location — not in your email inbox. For organisations: store backup codes in the security team's password manager.
Tools we recommend
- YubiKey 5 Series — gold standard for hardware FIDO2; supports USB-A, USB-C, NFC; for privileged accounts and high-security users
- Apple Passkeys — integrated in iCloud Keychain; seamless within the Apple ecosystem; phishing-resistant
- Google Passkeys — in Google Password Manager or Android; for Android-first organisations
- Microsoft Authenticator — well-integrated with number matching and passwordless login in Microsoft environments
- Authy — good TOTP app with encrypted cloud backup; better than Google Authenticator when device changes are frequent
If you only remember one thing
MFA is no longer a luxury — it is a legal requirement under NIS2, ISO 27001, and for many regulated industries. Enable MFA on all business accounts, starting with privileged ones.
Prioritise by account risk
Start with admin accounts, finance systems, and email (because whoever controls your email can take over all other accounts via 'forgot password'). Then all other services — most support TOTP or passkeys.