What Is MFA?

Multi-factor authentication is a login system that requires you to prove your identity in more than one way before granting access. Security professionals group authentication factors into three categories:

MFA requires at least two of these categories simultaneously. The security benefit is profound: even if an attacker obtains your password through a data breach, phishing campaign, or brute-force attack, they still cannot access your account without the second factor — which only you physically possess. Microsoft's own research finds that MFA blocks over 99.9% of automated account-compromise attacks.

SMS One-Time Passwords

The most common form of MFA is a one-time password (OTP) sent by SMS. After entering your password, the site sends a six-digit code to your phone number. You enter it to complete login. It's widely supported and easy to use — but it is the weakest form of MFA available.

The vulnerability is SIM swapping. Attackers contact your mobile carrier — armed with personal information gathered from social media or prior data breaches — and convince a customer service representative to transfer your phone number to a SIM card they control. From that point, every SMS OTP sent to your number goes directly to the attacker.

High-profile SIM-swap victims have included cryptocurrency investors, social media accounts worth millions of followers, and even security researchers. The attack requires no technical sophistication — just social engineering a single carrier employee.

Authenticator Apps

Authenticator apps generate time-based one-time passwords (TOTP) — six-digit codes that change every 30 seconds, computed using a secret key shared between the app and the website at setup time. Popular options include Google Authenticator, Microsoft Authenticator, and Authy.

Because TOTP codes are generated entirely on your device and never transmitted over the mobile network, they cannot be intercepted via SIM swapping. An attacker would need physical access to your unlocked phone to steal a code — and even then, it expires in 30 seconds. This makes authenticator apps dramatically more secure than SMS OTPs while remaining nearly as convenient.

Authy adds backup and multi-device sync, which is useful if you lose your phone — though purists prefer keeping secrets on a single device for maximum security.

Hardware Security Keys

Hardware security keys — such as the YubiKey, Google Titan Key, or any FIDO2-compliant device — are small physical tokens that plug into a USB port or tap against your phone via NFC. They represent the gold standard of consumer MFA.

What makes them unique is phishing resistance. When you log in, the key cryptographically verifies that the website you're authenticating to is the real domain — not a lookalike site. If an attacker tricks you into entering your password on a fake login page, the hardware key will silently refuse to respond because the domain doesn't match. The key verifies the site; the site verifies the key. Mutual authentication.

Hardware keys are recommended for high-value accounts: email, banking, cloud infrastructure, and domain registrars. Many security-conscious organisations mandate them for all staff.

Which Should You Use?

The hierarchy from strongest to weakest is clear:

The right answer for most people is to start with an authenticator app — it's free, works on any smartphone, and is supported by virtually every major platform. If you manage critical infrastructure or hold significant cryptocurrency, invest in a hardware key.

Enable MFA on your email account first. Your email is the master key to resetting every other account you own. If an attacker gains access to your inbox, they can trigger password resets on your bank, social media, and cloud storage in minutes. Protecting your email with MFA is the single highest-impact security action you can take today.