IS Decisions logo

IS Decisions Blog

How to evaluate common multi-factor authentication (MFA) methods

Evaluating the best MFA methods for your team? Choose the right balance between security and productivity.

Published May 25, 2023
MFA methods used by organizations

MFA is an organization’s best defense against the increasing cost of data breaches. The question for savvy IT pros is not if to apply MFA, but how?

A key part of how you apply MFA is the method you choose for your team. There are plenty of options out there, but your choice will likely come down to your budget, security needs, and ease of use.

In this blog, we’ll look at the pros and cons of the most popular MFA methods, helping you make the best choice for your organization.

Push notifications

Push notification mobile apps are a popular MFA method. End users receive a push notification on their smartphone during login attempts to a corporate system or cloud application. The user then approves or denies the login attempt. This method balances security with the convenient user experience of one-tap approval.

UserLock supports push notifications with the UserLock Push App.

Benefits of push notifications

Secure logon

Mobile push notifications provide an additional layer of security to verify a user’s identity. By prompting users to approve or deny login attempts on a device they own, push notification MFA makes it much more difficult for threat actors to access accounts or sensitive data.

Real-time verification

Push notifications produce a unique one-time passcode (OTP) for each login attempt. The authentication process takes place in real time and requires confirmation before allowing the login attempt. Even if attackers have acquired the user’s username and password, it is difficult for them to pass the real-time authentication process.

Reduced friction

Over 86% of people everywhere own a mobile device. That puts push notifications at the fingertips (literally) of just about anyone. Users can simply approve or deny the authentication request from their mobile device – eliminating the need to manually enter a code or carry a physical token.

Stronger authorization

In addition to authenticating users, push notifications can also authorize specific actions. You might require push notifications to approve admin logins or high-value transactions, for example. By requiring both authentication and authorization, push notifications can offer greater security than some other two-factor authentication methods.

Mobile device security

Built-in security features, such as biometric authentication through facial recognition or fingerprints, offer protection before even accessing the push notification. In essence, another layer of user authentication must be passed before the push notification is allowed. Other mobile device security features, such as secure enclave hardware and location services, can also help prevent unauthorized logins.

Hardware tokens and keys

Hardware token and key authentication is secure since these portable MFA devices generate a unique OTP. This code, along with the user’s password, enables the user to verify their identity and gain access to a system or application.

Highly sensitive sectors, such as finance, healthcare, and government agencies, frequently use hardware tokens to protect against costly breaches and meet compliance needs. As a dedicated piece of hardware, the odds are incredibly low that an attacker will be able to steal both a password and the physical MFA device. This makes tokens and keys among the most secure MFA methods available.

Among the UserLock-supported MFA methods are popular hardware solutions like YubiKey and Token2.

Benefits of hardware tokens and keys

Offline protection

Hardware tokens and keys have the advantage of working in situations where internet connectivity is not available. This provides an additional layer of security in scenarios where online communication is not an option. Hardware tokens are a popular MFA solution in industries where workers travel or have limited internet access, such as manufacturing and transport.

Increased reliability

Hardware tokens are among the most difficult MFA methods for attackers to obtain. The tokens are usually small, portable devices given to legitimate users. Many hardware tokens use time-based one-time passwords (TOTP) to make unauthorized access even more challenging.

Reduced risk of successful phishing attacks

Hardware tokens and keys offer robust protection against phishing attacks. Phishing is responsible for around 12% of all external attacks, with attackers impersonating legitimate websites or services to obtain user credentials. But without the physical hardware token, the attacker won’t be able to complete MFA and will be denied access.

Stronger encryption

MFA hardware tokens are built onto dedicated physical devices. They don’t share hardware with other apps or software or connect to the outside world for any other purpose. This brings fewer vulnerabilities from tampering, viruses, or outside interference, compared to MFA methods that work from a multi-purpose device.


Hardware tokens are also incredibly versatile. They’re used across industries for a range of identity and access management scenarios, like providing a second factor on top of a password or approving transactions. Because they don’t require internet access, hardware tokens and keys also allow staff to log in securely from wherever they work.

Hardware tokens and keys vs. push notifications

Hardware tokens and keys offer excellent protection. Their security keys are generated on dedicated devices held only by authorized users, safeguarding against threats like MFA fatigue and human error. For this reason, they are typically the MFA method of choice in regulated and sensitive industries. However, users must possess devices at all times or face being locked out of the system.

Push notifications are a more user-friendly form of authentication. They allow users to complete MFA from their mobile devices, making verification straightforward and near-frictionless. However, mobile devices are easier for attackers to target than hardware tokens.

When deciding, it’s important to remember that push notifications and hardware tokens both offer considerable protection. But they also have their differences. Generally, your choice will come down to security vs convenience. Organizations that require the highest level of security might choose hardware tokens. Those that want to balance security with convenience can opt for push notifications. UserLock offers both MFA methods, letting you choose the one that best fits your needs.

Authenticator apps

Authenticator apps are a convenient and secure way to add an extra layer of protection for user accounts. The apps are downloaded onto users’ mobile devices and generate TOTPs for a second layer of verification.

UserLock supports popular authenticator applications such as Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and Duo with a programmable token like Token2.

Benefits of authenticator apps

Enhanced security

Authenticator apps use TOTPs. This makes it much more challenging for attackers to gain unauthorized access to user accounts. App codes are only valid for a short period and cannot be replicated or reused, protecting access to critical systems.

Ease of use

Like push notifications, authenticator apps offer users convenience by verifying logins through their mobile devices. The apps are simple to install without needing any additional devices. Enrollment is also straightforward, letting users add a new account quickly via passcodes or QR codes.

No connectivity required

Authenticator apps can produce codes even without an internet connection. If a user is offline or in an area of poor cellular coverage, they can continue logging in securely.


MFA authenticator apps are usually free to download. This makes it simple for organizations to onboard new users and scale MFA, while ongoing app maintenance costs are left to the provider.

Authenticator apps vs. push notifications and hardware tokens

Authenticator apps offer an effective balance between security, usability, and cost-effectiveness. Compared to push notifications, authenticator apps can be more difficult for attackers to target. They’re also cheaper to roll out and scale than hardware tokens.

When deciding which MFA method is right for you, remember that all are drastic improvements on using passwords alone. This is especially true if your systems hold sensitive data (and how many don’t?).

There are also much less secure MFA methods, like text messages, phone calls, or security questions, which do not offer the protection of authenticator apps, push notifications, and hardware tokens.

As a very general rule of thumb, you could choose the MFA method that most closely fits your use case from the following:

  • Push notifications: You require a highly convenient and scalable method, and can accept the potential risk of attacks that target user error.

  • Authenticator apps: You need a balance of user-friendliness, good security, a method that’s cost-effective to scale, and works offline.

  • Hardware tokens: You’re looking for the highest level of security, and can make allowances for the slight loss in user convenience and the cost of deployment.

SMS notifications

SMS notifications were an early MFA method that took advantage of the popularity of mobile devices. They’re still commonly used today, but their functionality brings several security concerns.

Most experts do not encourage SMS notifications as a secure MFA method.

Risks of SMS notifications

Vulnerable to attacks

SMS notifications are vulnerable to attacks. Hackers can intercept text messages and read unencrypted contents — gaining easy access to corporate systems. SMS is also weak to other attacks, like SIM swapping and phone number spoofing.

Risk of phishing attacks

Attackers can use SMS to carry out phishing attacks. Attackers might send fake MFA requests, dangerous links, or social engineering attempts directly to users’ mobile phones, increasing their chances of unauthorized system access.

Compliance issues

SMS as an MFA method does not comply with specific regulations, such as the General Data Protection Regulation (GDPR) or the Health Insurance Portability and Accountability Act (HIPAA), may render SMS notifications unsuitable for use by organizations. Non-compliance can bring legal and financial penalties.

SMS notifications vs. push notifications

Push notifications have a potential weakness to human error and MFA fatigue attacks. However, they are encrypted and delivered through a much more secure channel than SMS. For this reason, push notifications offer significantly more protection than SMS.

SMS notifications vs. hardware tokens

Hardware tokens are one of the most secure MFA methods available. Built on dedicated devices and secured from outside access, they offer much more protection than SMS.

SMS notifications vs. authentication apps

Authenticator apps blend good security with user convenience. Although open to potential security concerns, they offer much-improved protection compared to SMS notifications.

Choose between multiple MFA methods with UserLock

Because your team’s security needs are not one-size-fits-all, you'll want to select the MFA solution that allows you to choose between a few different methods. That’s why UserLock gives you the flexibility to choose between:

  • Hardware tokens and keys

  • Push notifications

  • Authenticator apps

And since it's often helpful for employees to use more than one authentication method, you can also give users the ability to enroll in up to two of the above methods. Not only does this flexibility ease the burden of MFA, it also helps boost security since you can choose the best balance between security and productivity for different use cases, such as remote and on-site access.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial