SMS vs App vs Security Key: Which MFA Option Should You Use?

Protecting login credentials from being compromised is one of the most important tenets of cybersecurity. With 91% of businesses using the cloud, data is often only as secure as the easiest-to-hack password.

Passwords can be compromised in multiple ways. If a person is using a weak password, they’re easily guessed or hacked by cracking software. Users can also get fooled by a phishing email and end up logging into a fake website that’s designed to steal their password.

Another way that passwords can be compromised is through a data breach. A breach of an online website you may use can cause a login credential to end up for sale on the Dark Web. When this happens, any website or app that uses that same password is in danger.

51% of people use the same password for multiple accounts, both work and personal.

The best way to keep accounts secure from password compromise is to use multi-factor authentication (MFA). It’s a powerful tool that can block as many as 99.9% of account hacks.

What is MFA?

Multi-factor authentication is when you add another requirement to access an account protected by a username and password. It’s usually in the form of a code that is sent to a registered device.

The user receives that code and must enter it at login along with their login credentials to gain access. Only having the login credentials are not enough, the code must also be entered. 

Hackers usually don’t have access to the device that receives the MFA code, which is what makes this an effective way to prevent account breaches.

But when enabling MFA to improve IT security and reduce the risk of having accounts breached, there are a couple of key factors to keep in mind. These are:

  1. How secure the MFA method is (some are more secure than others)
  2. How convenient the method is for employees (if it’s inconvenient, they may not want to use it)

Three Forms of Multi-Factor Authentication

When enabling MFA for your company, there are three main methods you can choose from:

  • SMS: The user receives the code via text message.
  • On-device Prompt/App: The user receives the code through an app that provides a prompt on the device with the code.
  • Security Key: The user purchases a specific type of security key that is used to receive the MFA code and plugs it into a device to authenticate.

Comparing the Three Options for Multi-factor Authentication 

While all three methods provide significant protection against cloud account breaches, there are differences between them that might make you want to choose one over the other.

The differences include the level of security, cost, and convenience. 

We’ll go through a comparison below, referencing a Google study on all three methods. 

Google Study on MFA Security

SMS/Text Message

The most convenient of the three methods is receiving the code by SMS. People are used to texting, so getting a message with their login code each time they are logging in won’t have much of a learning curve at all.

On the security front, the SMS method is the least secure of the three, though it’s still between 76% and 100% secure, depending upon the attack type. The Google study found that it:

  • Blocks 100% of automated bot attacks
  • Blocks 96% of bulk phishing attacks
  • Blocks 76% of targeted attacks

The reason for it being slightly less secure than the other two methods is that SIM cards can be cloned by malware, in which case a hacker would have access to the device’s text messages.

On-device Prompt/App

The second most common way of receiving the MFA code, after SMS, is through an app. Apps like Google Authenticator or Cisco Duo provide a consistent MFA experience across multiple sites.

They are still fairly convenient, though users do have to go through an additional step to download the app and learn how to use it.

This method has a mid-level of security:

  • Blocks 100% of automated bot attacks
  • Blocks 99% of bulk phishing attacks
  • Blocks 90% of targeted attacks

Security Key

Purchasing a separate device to receive and authenticate the MFA code is by far the most secure method. A security key, which is smaller than a USB drive, can be purchased from providers like Thetis and Yubico. It plugs into a device to authenticate the MFA code.

This is the most expensive method because a company would have to purchase keys for each user. It also would inevitably run into the problem of users losing their keys and having to go through a process so they could still access accounts.

On the security side, this is the most secure method of the three:

  • Blocks 100% of automated bot attacks
  • Blocks 100% of bulk phishing attacks
  • Blocks 100% of targeted attacks

Get Help With Effective Password Protection Solutions

Unbound Digital can help your Johnson City, Tennessee business put the right form of MFA in place that balances convenience with security.

Contact us today to schedule a consultation. Call 423-335-2461 or reach us online.


View Mobile Site