Not All MFA is Created Equal: Advantages and Disadvantages of Common Forms of MFA
If you’ve spoken to anyone in the cybersecurity industry in the past few years, you’ve probably heard at least once “multi-factor authentication (MFA) is one of the best things you can do to protect yourself and your organization.” But what, you may be asking, does that specifically entail? MFA comes in all different shapes and sizes and like anything else in the cybersecurity and technical worlds, there is a fair amount of nuance in the available technologies. There are many things to consider when attempting to determine what type of MFA is best for you and your organization, including security, ease of implementation, ease of use, cost, etc. Let the below information serve as a high-level overview of those considerations for the four most common forms of MFA: SMS OTP, software TOTP, hardware TOTP, and push OTP.
SMS One-Time Password (OTP)
- Description: a random, numerical password, usually six digits, sent via SMS message to a designated mobile device. The password can only be used once.
- Advantages: easy to implement and better than no MFA at all. It can also be free or inexpensive to set up (disregarding the cost of the mobile phone).
- Disadvantages: requires the user to own a mobile phone that can receive SMS text messages. One of the least secure forms of MFA (see Vulnerabilities).
- Vulnerabilities: susceptible to SMS intercept attacks, wherein the text message is “intercepted” by a cyber attacker who receives the text message instead. SMS intercept attacks can be accomplished in a variety of ways, including SIM-swap scams, mobile number port-out scams, and SMS-stealing malware. Several high-profile security breaches have occurred over the past few years that were the result of SMS intercept attacks, including the 2018 data breach at Reddit and the 2019 compromise of Twitter CEO Jack Dorsey’s Twitter account.
- Other info: SMS OTP was deprecated by the National Institute of Standards and Technology (NIST) in 2016.
Software Time-based One-Time Password (TOTP)
- Description: a random, numerical password, usually six digits, generated via an authenticator app installed on the associated mobile device. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once. There are a variety of authenticator apps available, including Google Authenticator, Duo Mobile, Authy, etc.
- Advantages: more secure than SMS OTP and fairly easy to deploy, though not as easy as SMS OTP. It is can also be free or inexpensive to set up (disregarding the cost of the smartphone).
- Disadvantages: requires the user to own a smartphone and install a mobile app. The security of software TOTP is heavily dependent on the authenticator app being used, as well as the parameters specified by the authenticating server. TOTP relies on a shared secret key that is portable, often shared via a QR code, which makes it susceptible to cloning.
Hardware Time-based One-Time Password (TOTP)
- Description: a random, numerical password, usually six digits, generated via a hardware token, like a key fob or smart card, with a digital display. The code regenerates at regular intervals, usually every 30 seconds, and each code may only be used once.
- Advantages: very secure, as most hardware tokens are difficult to compromise remotely. The use of hardware tokens does not require users to own a mobile device or smartphone or install an authenticator app.
- Disadvantages: can be very expensive (~$15+ per token). Hardware tokens can be difficult to deploy, as they are set up using NFC, which can be temperamental to use. The hardware tokens, which can be quite small, can be easily lost. Additionally, some hardware tokens, such as Yubikeys, require a physical connection to the device attempting the authentication and are thus not compatible with devices that do not have the token’s connection type (i.e., USB-A, USB-C, Lightning, etc.). Hardware tokens with more than one connection type are available, but they tend to be more expensive.
Other info: Push One-Time Password (OTP)
- Description: a push notification is sent to the user’s device via an installed mobile app, giving the user the option to approve or deny the authentication request. The push notification usually includes the context of the authentication request, such as the IP address and corresponding location from which the login request originated.
- Advantages: very secure, as the authentication communication is out-of-band and encrypted. Unlike TOTP, push OTP links a single device to the user’s identity, so it is not susceptible to cloning. It is easy to deploy and extremely easy to use, requiring only the click of a button to approve the request. It can be free or inexpensive (disregarding the cost of the smartphone).
- Disadvantages: possible for users to accidentally approve fraudulent requests. It requires the user to own a smartphone and download a mobile app. Push OTP requires that the smartphone have an internet connection and it is a relatively new technology that is still not widely supported.
- Other info: often used as a replacement for passwords. The push notification does not usually carry the OTP, but upon approval by the user, a unique OTP is generated internally on the device and sent back to the authenticating server to verify it.