Smartphone showing authenticator app for two-factor authentication
Cybersecurity

Two-Factor Authentication Apps: A Business Comparison

PN
Peter Nelson
· · 6 min read

Not all 2FA methods are equal. We compare SMS, authenticator apps, and hardware keys to help you choose the best option for your business.

Multi-factor authentication (MFA) is the single highest-impact security control available to most businesses — the ACSC estimates it prevents over 99% of automated account takeover attacks. But not all MFA methods are equally secure, and choosing the wrong method can leave businesses with a false sense of protection.

Here is a practical comparison of the most common MFA options for Australian SMBs.

Why MFA Method Matters

The difference between MFA methods is not just convenience — it is security. Some methods can be bypassed by attackers who have stolen a password; others cannot. Understanding the security model of each method helps you make the right choice for different user populations and risk levels.

SMS / Text Message Codes

How it works: A one-time code is sent via SMS to the user’s registered phone number. The user enters the code after their password.

Security level: Low to Medium

SMS-based MFA is better than nothing, but it has well-documented weaknesses:

  • SIM swapping: An attacker convinces a mobile carrier to transfer the victim’s phone number to an attacker-controlled SIM. Once the number is transferred, all SMS codes go to the attacker. SIM swap attacks have been used against Australian businesses.
  • SS7 protocol vulnerabilities: The underlying phone network protocol (SS7) has known vulnerabilities that allow interception of SMS messages by sophisticated attackers.
  • Phishing-compatible: SMS codes can be entered into a phishing site by a social-engineered user, or intercepted in real-time by an attacker-in-the-middle proxy.

Best use: Consumer accounts, lower-risk business applications, situations where no alternative is available. Not recommended as the primary MFA method for business email, financial systems, or administrative accounts.

Time-Based One-Time Password (TOTP) Authenticator Apps

How it works: An authenticator app generates a 6-digit code that changes every 30 seconds, derived from a shared secret established during setup. The user enters the current code after their password.

Popular apps: Microsoft Authenticator, Google Authenticator, Authy, 1Password (TOTP feature)

Security level: Medium to High

TOTP authenticator apps are significantly more secure than SMS:

  • No dependency on the phone network — codes are generated locally on the device
  • No SIM swap vulnerability
  • Codes are time-limited (30 seconds)

Weaknesses:

  • Still phishable: a real-time phishing attack can prompt the user for the code and use it before it expires
  • Adversary-in-the-middle (AiTM) attacks can capture authenticated session tokens, bypassing MFA entirely
  • Device loss means recovery complexity (though most apps support backup/cloud sync)

Microsoft Authenticator advantage: For Microsoft 365 environments, Microsoft Authenticator offers number matching (user confirms the number displayed on the login screen, not just “approve/deny”) and additional context (location, app). This significantly reduces the effectiveness of MFA fatigue attacks.

Best use: Standard business users for Microsoft 365, line-of-business applications, VPN. The baseline MFA method for most business deployments.

Push Notification MFA (Microsoft Authenticator / Duo)

How it works: Instead of entering a code, the user receives a push notification on their registered device asking them to approve or deny the login attempt.

Security level: Medium to High (with number matching enabled)

Push MFA is more user-friendly than code entry but introduced a new attack: MFA fatigue (MFA bombing). Attackers who have stolen a password repeatedly send push notifications hoping the user will eventually approve one — either from confusion, fatigue, or frustration.

Microsoft’s mitigation: Number matching and additional context (enabled in Entra ID) require the user to match a number shown on the login screen to a number displayed in the push notification. This makes automated MFA fatigue attacks ineffective.

Without number matching enabled, push MFA is vulnerable to fatigue attacks. Ensure number matching is enabled in your Microsoft Entra ID configuration.

Best use: Microsoft 365 environments with number matching enabled. The most user-friendly secure MFA option for standard business users.

FIDO2 Hardware Security Keys

How it works: A physical USB or NFC key (YubiKey, Google Titan Key) is inserted or tapped. The key performs a cryptographic authentication that is specific to the legitimate website — it cannot be used on a phishing site because the URL does not match.

Security level: Very High (Phishing-resistant)

Hardware keys are the only MFA method that is resistant to:

  • SIM swapping
  • Real-time phishing
  • AiTM attacks (the cryptographic challenge is origin-bound — it only works on the real site)

This makes them the gold standard for high-risk accounts: domain administrators, finance accounts with payment authority, executive accounts.

Weaknesses:

  • Cost: $50-100 per key (recommend two per user — one primary, one backup)
  • Physical: users must have the key with them to log in; device loss requires recovery process
  • Setup complexity: requires registration per service

Best use: Privileged accounts (IT administrators, global admins), finance users, executives. Mandatory for any account with the ability to authorise financial transactions or make administrative changes to critical systems.

Windows Hello for Business (Certificate-Based Authentication)

How it works: Biometric authentication (fingerprint or face recognition) on a managed Windows device, backed by a device-bound certificate. No code, no token, no push notification — just biometric verification.

Security level: Very High (Phishing-resistant)

Windows Hello for Business is phishing-resistant (certificate is device-bound and origin-bound), convenient (biometric, no additional device needed), and manageable through Microsoft Intune. For Microsoft 365 environments on managed Windows devices, it is the most frictionless phishing-resistant MFA available.

Requirements: Managed Windows device enrolled in Intune, Windows Hello hardware (fingerprint reader or IR camera — standard on most modern business laptops).

Best use: Standard business users on managed Windows devices. The best balance of security and usability for Microsoft 365 environments.

User TypeRecommended MFA
Standard staff (managed Windows device)Windows Hello for Business
Standard staff (other device)Microsoft Authenticator with number matching
Finance / payment authorisationFIDO2 hardware key
IT administrators / global adminsFIDO2 hardware key (mandatory)
External access / contractorsMicrosoft Authenticator with number matching

Getting MFA Right

CX IT Services configures MFA and Conditional Access for Melbourne businesses as part of our Microsoft 365 managed service — including enabling number matching, deploying Windows Hello for Business, and issuing hardware keys for privileged accounts. Book a Right Fit Call to discuss your current MFA configuration.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts