top of page
  • Zack Davis

How to Craft a Multi-Factor Security System

Credential theft is now at an all-time high and is responsible for more data breaches than any other type of attack.

With data and business processes now largely cloud-based, stealing a user's password leads a hacker into a huge breach of personal and business-related information.

Being logged in as a user (especially if you have admin privileges) can allow a criminal to send out phishing emails from your firm account to your staff and customers. Staff could be given a link from their bosses' email accounts that then steals their information when they click on it.

The hacker can also infect your cloud data with ransomware and demand thousands of dollars to give it back. This is especially important for businesses that have sensitive information, such as law firms or banks.

How do you protect your online accounts, data, and business operations? One of the best ways is with multi-factor authentication (MFA).

It provides a significant barrier to cybercriminals even if they have a legitimate user credential to log in. This is because they most likely will not have access to the device that receives the MFA code required to complete the authentication process.


When you implement multi-factor authentication at your firm, it’s important to compare the three main methods of MFA and not just assume all methods are the same. The differences between the methods focus largely on the level of security and convenience of the users.

Let’s take a closer look at what these three methods are:


The form of MFA that people are most familiar with is SMS-based. This one uses text messaging to authenticate the user.

When they are setting up their multi-factor authentication, it will ask for a primary cell phone number. Users would choose the device that they have near them while working.


Another type of multi-factor authentication will use a special app to push through the code. The user still generates the MFA code at login, but rather than receiving the code via SMS, it’s received through the app.

This is usually done via a push notification, and it can be used with a mobile app or desktop app in many cases.


The third key method of MFA involves using a separate security key that you can insert into a PC or mobile device to authenticate the login. The key itself is purchased at the time the MFA solution is set up and will be the thing that receives the authentication code and implements it automatically.

The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system. Users typically will insert the device into their computer or will turn on their device to receive a code.

Now, let’s look at the differences between these three methods.


Users can often feel that MFA is slowing them down. This can be worse if they need to learn a new app or try to remember a tiny security key (what if they lose that key?).

This user inconvenience can cause companies to leave their cloud accounts less protected by not using multi-factor authentication.

If you face user pushback and are looking for the most convenient form of MFA, it would be the SMS-based MFA.

Users almost always have their phones on them and understand the idea of getting a code via text message. They do not have to learn anything new.


If your firm handles sensitive data in a cloud platform, such as your online accounting solution, or personal data related to specific clients, then your best bet is the security key or token.

The most secure form of MFA is the security key.

The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario.

The SMS-based is actually the least secure because there is malware out there now that can clone a SIM card, which would allow a hacker to get those MFA text messages. Many tech professionals recommend users just carry the key on them in their briefcase or backpack. It also can fit on a key ring or chain.

A Google study looked at the effectiveness of these three methods of MFA at blocking common malware attacks. The security key was the most secure overall.

Percentage of attacks blocked:

  • SMS-based: between 76 - 100%

  • On-device app prompt: between 90 - 100%

  • Security key: 100% for all three attack types


So, where does the app with an on-device prompt fit in? Right in between the other two MFA methods.

Using an MFA application that delivers the code via push notification is more secure than the SMS-based MFA. It’s also more convenient than needing to carry around a separate security key that could quickly become lost or misplaced.


Multi-factor authentication is a “must-have” solution in today’s threat climate. Let’s discuss your barrier points and come up with a solution together to keep your cloud environment better secured. And discover more about our Virtual IT Department or contact us directly.

Article used with permission from The Technology Press.

4 views0 comments

Recent Posts

See All


bottom of page