What You Should Know:

Multi-Factor Authentication 2025

This article includes many helpful links. None of these are referral links.

First of all, having multi-factor authentication is better than not having multi-factor authentication. That password that was easy to remember or that you use in a few different places, probably has been sold online (you can click the link to check the usual places where passwords are sold) and if you haven't started using a password manager to ensure every password is unique, there(1) are(2) many(3) good(4) options(5) to(6) choose(7) from(8). Some of them are even free, or offer free versions.

Multi-Factor Authentication (MFA) or 2 Factor Authentication (2FA) means your identity is verified more than one way, usually your password plus something else. 2FA is verification two ways, MFA is more than one way (sometimes 3 or more), so we'll generally refer to this as multi-factor authentication (MFA). MFA is often used when at least one of those verification methods is weak and doesn't stand well on its own (like your date of birth or phone number), but can be strong when combined with other methods of identification. Since many people don't protect their passwords well, passwords fall into that category too.

As the world started to become more connected, MFA started using authentication methods based on your contact information, such as your phone or email. After all, the chance of someone else having access to your phone or email at the same instant that they have your password was fairly remote.

This is changing.

Email MFA

Emailed MFA is when identity is verified by sending a link or a code to the email address on file. The link or code is usually time-limited, anywhere from 10 minutes to 24 hours.

Although email providers have gotten a lot better at offering MFA, many still allow a user to set a weak or shared password.

One person I was talking to recently explained to me they typically use two passwords, one for banking, and one for everything else - social media, entertainment websites, shopping, and email. This as part of a conversation where their password was stolen from one of those entertainment websites, and they were trying to assure me that no one could get access to their banking information because they use a really strong password there.

Then we opened their email to see a reset password link had been sent to their email address from their bank, a multi-factor authentication code had been sent to verify identity, and there was a password change confirmation email. The attacker had been sloppy enough to not change the password to the email address, but they had gotten into this person's bank account by using the hijacked email account with the weak password.

Emailed password reset links and one-time codes are only as secure as access to email itself, so emailed MFA is now no longer encouraged.

I said it above and I'll say it again here -- any MFA is still stronger than none, so if that's your only option, take it, but sometimes you can do better.

Phone MFA

For phone MFA, the user has to have access to their phone to login. It could be a phone call from a robot that reads off a series of numbers, or a text message (also known as SMS).

Phone-based MFA has its issues too but depending on how it's implemented it can be more secure.

Intercepted Text Message

Some applications, both on the phone and on other devices you might own, have the ability to read text messages. That makes it relatively easy to write a script to look for the text message, intercept it, and authenticate using stolen credentials.

Phone number takeover

Also known as "SIM Swapping" in this attack technique, an attacker goes to their own carrier and basically says, "I want to assign 'my' (the victim's) old phone number to this other phone. Here's the (victim's) phone number, here's the SIM card number that belongs to my new phone."

Although this type of attack seems like a lot of work, professional hackers are doing it. Some websites are implementing countermeasures such as Prove, which can cross-reference the phone number provided with the cell phone carrier's billing records on who owns the number, allowing detection of a recent phone takeover.

Application MFA

Although this type of MFA is a little more work to set up and maintain, it remains the most secure. The idea is that an app, usually on a phone but sometimes stored on a laptop, stores a secret that is used with the time of day to generate a time-limited code to login. The secret doesn't leave the phone (though some apps do have ways to transfer the secret to a new phone).

Some popular ones include Google Authenticator (iOS, Android), Microsoft Authenticator, Symantec VIP, for people who own a Yubikey NFC there's Yubico Authenticator (my personal favorite since secrets are stored on a small device on my house/car key ring instead of in my network-accessible phone), many of the password managers I mentioned above can store these secrets too, and if your workplace already wants you using Duo or Okta for workplace logins, you can often add other sites to those applications as well (though, personal preference, I try not to mix work and personal credentials in case I change jobs later and that workplace app gets blocked).

Authenticating using one of these apps is very similar to the other methods, it's a short, 2-12 digit code that's entered into a website after providing a password, but since the code is generated by the app instead of being sent to you, it can't be intercepted.

The attack vector here is obvious, if someone has physical access to the target's app, they have access to the app's codes, but it's nearly impossible to access these apps remotely.

As of 2025, Application MFAs are the most secure additional way to prove your identity.

Passkeys for the win

For almost all MFA logins, the user still has to provide a password. Passwords are still a weak form of protection, often stolen from a sticky note or from server logs, often set to something easy to guess like "Password123!" or "11111111", too short, and/or social engineered by someone purporting to be "Microsoft Technical Support."

Passkey secrets are far longer than any password, can be sent in with a single mouse click or keystroke, and are nearly impossible to intercept in transit (the possible exception being a passkey that is stored in a cloud backup).

Because of their simplicity, passkeys are also very advantageous for situations where accessibility is a factor. Browsers provide access to passkeys through simple controls, no complicated security questions to remember, and no mixed case or symbols that are hidden under a submenu of a touchscreen keyboard.

...if available

But for websites that don't yet support passkeys, application MFA is second-best, and really any MFA is better than a password alone.

Update 1/18/2025:

The day after the original post, I realized there's one more important point I want to make here.

If you have multiple ways to log into an account, your security is only as strong as your weakest login method. That's the method an attacker would likely exploit. For example, if you set up a highly secure passkey but still allow a simple, easily-guessed password as a backup, the password becomes the easiest way in. It's like having a state-of-the-art bank vault door on your front porch, but leaving a back window wide open with a ladder propped up against it. If you enable a strong authentication method like a passkey, be sure to review your account settings and disable any weaker backup options that could be used to circumvent it. These might include things like simple passwords, easily guessed security questions, or SMS-based recovery codes.