Comparative analysis for Multi-Factor Authentication techniques

Today we are doing a comparative analysis for three Multi-Factor Authentication (MFA) methods: Mobile Authenticator Apps, Text/Call-based MFA, and FIDO Keys. The aim is to understand the risk associated with these three methods but not just the risk, I will also touch on reliability and cost. Its worth noting that there are a number of MFA options. For example, in Entra ID, there are different authentication options. Hello for Business, Passkey, certificate-based authentication, Microsoft Authentication, temporary access passes, and password plus voice.

In recent days there have been quite a few cases of hackers bypassing MFA. Well that is because each method has its own strengths and vulnerabilities in terms of usability, security, and resilience against attacks.

Although having some MFA mechanism is better than having no MFA. As seen below, not all MFA methods are created equal nor do they provide the same security. Phishing Resistant MFA is a thing, and it is becoming more and more important as the techniques of hackers, scammers and bad actors are getting more sophisticated.

1. MFA methods overview

Mobile Authenticator App (e.g., Authenticator App):

1. Generates time-based one-time passcodes (TOTP) and can also use push notifications to verify identity.
2. Often used in Cloud environments with integration to Identity providers, Entra ID, Office 365, and other enterprise applications

Text/Call-Based MFA:

1. Sends a one-time passcode to the user’s phone via SMS or voice call.
2. Commonly used for convenience and accessibility but is susceptible to network-based, SIM Swapping and MitM attacks.

FIDO Keys (e.g., YubiKey):

1. Physical hardware keys that implement the FIDO (Fast ID Online) standard.
2. Provides strong, phishing-resistant authentication by requiring physical possession of the device.

2. Risk Analysis and Comparison

Summary of Key Findings

Security:

1. FIDO Keys offer the highest level of security, being resilient to phishing, MitM attacks, and SIM swapping. The reliance on physical possession and public-key cryptography makes FIDO keys the most secure choice.
2. Mobile Authenticator Apps are generally secure and perform better than SMS in preventing SIM swap attacks and interception risks but are more susceptible to phishing than FIDO keys.
3. Text/Call-Based MFA is the least secure, with vulnerabilities to phishing, SIM swapping, and SMS interception. This option should only be used where more secure alternatives are not feasible.

Usability:

1. Text/Call-Based MFA is the easiest for users to understand and use without technical setup but is slower and may become costly at scale.
2. FIDO Keys are simple to use once set up but may require user training and upfront costs.
3. Mobile Authenticator Apps strike a balance between security and usability, though setup and recovery may be challenging for some users.

Cost and Scalability:

1. Mobile Authenticator Apps are the most cost-effective and scalable solution, especially for large teams.
2. Text/Call-Based MFA can be costly if SMS / Text fees apply, especially for large organisations.
3. FIDO Keys carry higher per-user costs and logistical challenges but are best for high-security environments.

4. Recommendations

• High-Security Environments (e.g. access to sensitive PHI, financial records): Prefer FIDO Keys due to their strong resistance to phishing and MitM attacks, despite higher costs and management needs.
• Moderate-Security Needs (e.g. general employee accounts, email access): Use Mobile Authenticator Apps for a balance of security, usability, and low cost. It’s also a good fallback for users without physical key access.
• Low-Security/Convenience-First Scenarios (e.g. low-risk applications): Text/Call-Based MFA can be considered, although it should be supplemented by stronger options for sensitive systems.

Each of these MFA methods serves a purpose, and in many cases, a combination of them can help your diverse security, cost, and user experience needs.

Ultimately, the Authenticator apps provide the best of both worlds for general use, I would, however, recommend that privileged users use FIDO keys or something that is more resilient against Phishing and MitM attacks, for example MFA with Number matching, USB dongles or Smart Cards.