Skip navigation
Person typing on their mobile phone, overlaid with a color filter of Duo green
Industry News

Strengths and Weaknesses of MFA Methods Against Cyber Attacks: Part 1

Administrators and end-users of a multi-factor authentication (MFA) product like Duo’s face a variety of options for how to authenticate. Each method has distinct tradeoffs of convenience, user experience, and security.

In this first blog of a three-part series, we’ll define four categories of authentication methods encompassing a broad array of device types. In future blogs, we will discuss identity threats facing MFA users and how to choose the best methods to protect yourself and your organization.

Background: MFA methods

MFA requires that users present multiple pieces of evidence, or factors, proving their identity. These factors typically belong to one of three types:

  • Knowledge (“something you know”): Memorized information like a password

  • Possession (“something you have”): A physical device that the user has access to

  • Inherence (“something you are”): A biometric indicator like a fingerprint

Most commonly, a password (knowledge factor) is combined with a second authentication method representing one or more additional factors. We’ll categorize the methods supported by Duo in the following ways.

Authentication Type Variant Example Device


Platform Authenticator

Laptop With Touch ID


Roaming Authenticator

Yubikey Security Key



Phone With Duo Mobile App


Verified Push

Phone With Duo Mobile App


Software Token

Phone With Duo Mobile App


Hardware Token

Duo D-100 Token


SMS Passcode



Phone Call


WebAuthn-based methods

Factor type(s): possession (computer, phone, or security key), usually paired with inherence (biometric) or knowledge (passcode)

WebAuthn, or Web Authentication API, is a standard for securely authenticating users using public key cryptography. Users register their device and receive credentials from a server like These credentials can then be used to authenticate, without the need for a password. Because the credentials cannot be used on sites other than their origin (e.g. on fake webpages like, WebAuthn-based authentication is said to be phishing-resistant.

Some WebAuthn-based authenticators, known as platform authenticators, are integrated into device hardware and operating systems and confirm user identity using biometrics such as iOS Touch ID, iOS Face ID, or Windows Hello. Many platform authenticators additionally support syncing WebAuthn credentials, known as passkeys, across multiple devices. Other WebAuthn-based devices, such as Yubikey security keys, are roaming authenticators and must be physically plugged into the device where a user is authenticating.

Push-based methods

Factor type(s): possession (phone with authenticator app installed), sometimes paired with knowledge (numeric code)

In push-based authentication, users receive a push notification on their phone when they try to log in on another device. They can review authentication details in a mobile app (such as Duo Mobile) and confirm or deny the authentication. The push notification typically happens out-of-band (i.e., on a different communication channel) from the login device, which makes it harder for attackers to tamper with the authentication.

Duo offers two options for push-based authentication. A Duo Push is an ordinary push in which a user confirms or denies authentication via the Duo Mobile App. A Verified Duo Push adds additional security by presenting a numeric code in the login prompt, which must then be entered in Duo Mobile when confirming the push. Both Duo Push and Verified Duo Push transmit the user’s response securely using an HTTPS connection.

Token-based methods

Factor type(s): possession (security token), or knowledge (passcode generated by the token)

In token-based authentication, a hardware device or software application is used to generate a single-use passcode, which must be entered into the login prompt to proceed. The Duo Mobile app can serve as a software token, while third-party hardware and software tokens of various types may also be registered with Duo.

The security properties of tokens depend on the algorithm used to generate the passcodes. The HMAC-based One-Time Password (HOTP) algorithm generates passcodes that expire only after they have been used, which opens the door to attackers stealing the codes and using them later. By contrast, the Time-Based One-Time Password (TOTP) algorithm produces passcodes that expire after a short time, which adds some extra security.

Telephony-based methods

Type: possession (phone with registered phone number), or knowledge (a passcode from SMS)

SMS (Secure Message Service) passcode and phone call authentication are methods that allow users to authenticate using their phones, without any specialized hardware or software. SMS passcodes work similarly to token-based authentication methods, except that the single-use passcode is transmitted as a text message to the user’s phone. In phone call authentication, the user receives an automated call and confirms the authentication by pressing a key on the phone.

The ubiquity of mobile phones makes telephony-based authentication a popular choice for many organizations. However, communications via cell networks may be less secure than other methods, leading to a risk of MFA interception.

What’s next

Now that we understand the ways that MFA users can authenticate, we can examine how each of these methods stands up to specific cyber threats. The next blog in this series will discuss some of the most common threats affecting MFA and how the different authentication methods can protect against attacks.