Skip navigation
Person using a mobile phone, overlaid with a color filter of Duo green
Industry News

The Strengths and Weaknesses of MFA Methods Against Cyber Attacks: Part 3

The choice of authentication methods plays a key role in defending against identity threats. In the first two blogs of this three-part series, we discussed the MFA methods available to users and their strengths and weaknesses in defending against five types of cyber attack. In this blog, we’ll discuss how end-users and administrators can select the best methods to keep themselves and their organizations secure.

The importance of user experience

Authentication methods’ technical properties in addressing cyber-threats are part of the security picture, but not the whole picture. The convenience of the end-user experience also plays an important role.

A frictionless user experience can help ensure that MFA is widely adopted within an organization, and that once it is adopted, users comply with best practices. Users that are frustrated by the authentication experience are more likely to fall prey to MFA fatigue attacks, or to seek workarounds that avoid the need to authenticate at all.

When setting MFA policies for their organization, administrators must consider the human element, which plays a role in 74% of breaches.

Budget considerations

Cost is another factor influencing which authentication methods organizations should adopt. Methods that leverage users’ existing devices, for instance, offer cost advantages over methods requiring specialized hardware such as tokens and security keys. Conversely, adopting platform authenticators may require costly upgrades to enterprise hardware and software to support biometrics.

Administrative and service costs must also be considered. Telephony-based methods require the purchasing of telephony credits, while the personnel costs of deployment and helpdesk support for some authentication methods can be significant.

Organizations must weigh the total cost of ownership of MFA against the considerable, but uncertain, cost of a breach.

What authentication methods are right for you?

To decide which methods to use, organizations must balance security, user experience, and budget considerations to meet their unique needs. To conclude this blog series, we’ll discuss each method in turn and why you may choose to adopt it.

WedAuthn-based authentication

WebAuthn-based authentication is a clear winner for threat protection, with strong defenses against a variety of threats including phishing and AiTM (adversary-in-the-middle) attacks. WebAuthn-based methods also offer superior user experiences using biometrics and passwordless authentication.

Despite these advantages, organizations often face challenges when adopting WebAuthn. Legacy software often must be upgraded to support this relatively new protocol, while upgrading employee endpoints to support biometrics or purchasing and distributing security keys can incur significant costs. Organizations must also incentivize users to register WebAuthn-based devices and train them to adapt to new authentication workflows.

The journey to WebAuthn, passkeys, and passwordless can be well worth it, and organizations can learn from the success stories of their peers.

Push-based authentication

Push-based authentication provides a good balance between security and user experience. It protects against many threats while allowing users to authenticate conveniently using their own phones. While it does not defend against AiTM threats as WebAuthn does, this gap can be addressed by other measures, such as adopting device trust policies.

Security against MFA fatigue attacks can be enhanced for push-based methods by enabling numeric code matching (e.g., Verified Duo Push). However, this security comes with additional user friction.  Organizations that want the security benefits of code matching but with minimal friction can try a policy like Duo Risk Based Authentication in which codes are required only for suspicious authentications.

Token-based authentication

Token-based authentication provides a third-tier option for threat protection behind WebAuthn-based and push-based methods. Passcode phishing and physical compromise are concerns for tokens but may partially be addressed by end-user training. Tokens remain popular for organizations where users cannot use their own phones to authenticate or where offline access is needed.

Telephony-based authentication

Telephony-based authentication is widely used due to its administrative convenience, since end-users can use their own phones without any specialized hardware or software. Hardware costs savings may be offset, however, by telephony costs. Telephony-based methods are also less secure than other methods, with SIM swapping adding a distinctive threat vector alongside common physical and social engineering concerns. Despite these drawbacks, telephony is an effective way for some organizations to ensure that MFA is widely adopted.


No matter what your authentication needs, Duo provides a variety of options to choose from. Duo’s adaptive access policies make it easy for administrators to customize settings by user group and application type, so that every authentication is as secure and frictionless as possible. End-users may further select from the methods allowed by their organizations to best suit their needs and preferences.

To learn more about authentication with Duo, sign up for a free trial today.