TL;DR: Passwords are no longer enough, and five MFA types show why stronger factors such as security keys, biometrics, and certificates materially reduce compromise risk, according to StrongDM. The harder question is governance: identity controls must match the actor, access duration, and operational risk, not just add another login step.
At a glance
What this is: This is a practical overview of five MFA methods, with the key finding that stronger factors materially reduce compromise risk but require different operational trade-offs.
Why it matters: It matters because IAM teams have to choose authentication patterns that fit human users, privileged access, and machine-adjacent workflows without creating new operational gaps.
By the numbers:
- The average data breach cost grew by 10% to $4.88 million in 2024, according to IBM.
- MFA can reduce the likelihood of user account compromise by nearly 99%, according to the article's cited research.
- Researchers at Microsoft cited in the article found that MFA can safeguard user credentials by up to 98.56%.
- Google research cited in the article found that security keys had a 100% success rate against phishing, targeted, and automated bot attacks.
👉 Read StrongDM's guide to the five MFA types and their security trade-offs
Context
Multi-factor authentication is the control pattern that asks for more than a password before granting access. In practice, the article is about how different MFA methods change the security and usability balance for human identity, privileged access, and access into systems that carry material business risk.
The core governance issue is not whether MFA exists, but whether the method matches the risk profile of the identity subject. Human users, privileged admins, and temporary access workflows do not all fail in the same way, so IAM teams need to align authentication strength with the access model rather than treating MFA as a single control category.
The article also reflects a broader identity pattern: stronger authentication can reduce breach likelihood, but weak implementation and poor user experience can create fatigue, bypasses, or lockout risk. That makes MFA a governance decision as much as a technical one.
Key questions
Q: How should security teams choose between SMS MFA, authenticator apps, and security keys?
A: Start with the sensitivity of the system and the attack paths you most need to stop. SMS and email are easy to deploy but weakest against interception and account takeover. Authenticator apps are stronger but can suffer from push fatigue. Security keys offer the best resistance to phishing for high-value access, especially for admins and other privileged users.
Q: Why do stronger MFA methods matter for privileged access?
A: Privileged accounts create a much larger blast radius if compromised, so the second factor must resist phishing, replay, and prompt abuse. Stronger methods such as security keys and certificates reduce the chance that a stolen password alone becomes a full compromise. That makes them better aligned to admin access, sensitive data, and regulated environments.
Q: What do organisations get wrong about MFA fatigue?
A: They treat MFA fatigue as a user annoyance instead of an attacker tactic. Repeated approval prompts can be abused until a distracted user accepts one, which turns the second factor into a bypass. The fix is not more reminders. It is a stronger approval model, fewer blind prompts, and tighter step-up rules for risky access.
Q: Who should use digital certificates instead of simpler MFA methods?
A: Digital certificates fit organisations that need time-bounded access, tighter lifecycle control, and stronger assurance than SMS or app-based prompts can provide. They are most useful where access must expire predictably and revocation must be governed carefully. That makes them a strong choice for temporary workers, high-risk systems, and controlled enterprise environments.
Technical breakdown
How SMS and email MFA fail under account takeover pressure
SMS and email-based MFA add a time-bound code to the password step, which raises the bar for opportunistic attackers but leaves several attack paths open. SIM swapping, mailbox compromise, brute force on weak email accounts, and message interception all reduce its value. The control is easy to deploy, but it depends on the security of the same channels attackers commonly target. In identity terms, it is a low-friction compensating factor, not a strong possession factor.
Practical implication: treat SMS and email MFA as a baseline option for lower-risk access only, not as the default for privileged or sensitive systems.
Authenticator apps, push fatigue, and the human factor in MFA
Authenticator apps improve on SMS because the second factor lives in a dedicated app and often uses rolling codes or push approvals. The downside is that approval prompts can create fatigue, which attackers exploit by flooding users with notifications until they accept one. This is a human behaviour problem as much as a technical one. Where push-based MFA is used, the real control boundary is the user’s ability to distinguish a legitimate prompt from a coercive one.
Practical implication: prefer rolling codes or number matching over blind push approval when you need app-based MFA for high-value accounts.
Security keys and digital certificates as stronger possession factors
Security keys and digital certificates bind access to a physical or cryptographic possession factor, which makes phishing and remote credential replay much harder. Security keys are strongest when the goal is to stop login interception, while certificates are better when access needs a defined validity period and tighter lifecycle control. Certificates also introduce provisioning, revocation, and expiry governance, which turns authentication into an ongoing identity lifecycle issue. For many environments, the control strength is high, but only if issuance and revocation stay current.
Practical implication: use keys or certificates where account compromise would create material blast radius, and pair them with lifecycle processes that prevent stale access.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Passwords plus weak second factors are no longer a credible security boundary. The article reinforces a long-standing identity problem: once credentials are phished, reused, or socially engineered, the first factor collapses. MFA changes attacker economics, but only the stronger methods materially shift risk for sensitive access. For practitioners, the lesson is that authentication strength must track the value of the target, not the convenience of rollout.
MFA fatigue is a governance failure, not just a UX annoyance. Push-based approvals can be worn down because they depend on human attention at the moment of attack. That means the control is only as strong as the approval behaviour it expects, which is why number matching, rolling codes, and step-up logic matter. Teams should treat user friction as an attack surface when they design authentication policy.
Possession-based MFA creates lifecycle obligations that many programmes underestimate. Security keys and digital certificates are stronger controls, but they only hold if issuance, replacement, expiry, and revocation are managed cleanly. This is where IAM, PAM, and lifecycle governance converge. The practitioner conclusion is simple: a stronger factor with weak lifecycle control becomes a stranded entitlement problem.
Certificate-based access is a time-bound governance model, not just an authentication method. The article’s discussion of digital certificates shows how access can be deliberately scoped with start and end dates. That aligns well with temporary workers and tightly controlled access, but it requires clear ownership for issuance and revocation. For identity teams, certificates are most effective when they are managed as part of a broader access lifecycle, not as a standalone login mechanism.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- The lifecycle gap is why practitioners should pair authentication controls with Ultimate Guide to NHIs guidance on visibility, rotation, and offboarding.
What this signals
Possession factors only work when identity lifecycle is under control. Strong authentication reduces account takeover risk, but long-lived access objects can still linger far beyond their intended use. That is why lifecycle discipline matters as much as factor strength. For teams that manage both human and non-human access, the operational question is whether authentication, provisioning, and revocation are governed as one chain or three disconnected tasks.
MFA programmes often fail at the point where security policy meets real user behaviour. If the method is too weak, attackers get in. If it is too noisy, users learn to approve without thinking. The programme signal to watch is not just adoption rates, but whether the control is actually changing attacker effort and user decision quality.
Identity blast radius: the real measure of MFA value is how much damage remains possible after a credential is stolen. That is why security keys, certificates, and stricter step-up logic deserve priority for privileged access and sensitive workflows, while simpler methods should be limited to low-risk journeys. The next programme step is to map factor strength to business impact, not to login convenience.
For practitioners
- Match MFA strength to access risk Use weak factors only where the business impact of compromise is limited, and reserve security keys or certificates for administrative, regulated, or high-value access paths.
- Replace blind push approval where fatigue is likely Where authenticator apps are in use, prefer rolling codes or number matching instead of one-tap prompts that users can approve under pressure.
- Treat certificates as lifecycle objects Track certificate issuance, renewal, expiry, and revocation as governance events, with ownership assigned before access is granted and again when access should end.
- Review privileged access separately from general workforce login Apply stronger authentication controls to admin and high-risk roles first, then map remaining MFA methods to the actual sensitivity of the system rather than the user population.
Key takeaways
- MFA is most effective when the factor strength matches the value of the access being protected.
- Push fatigue and weak lifecycle processes can undermine otherwise sensible authentication designs.
- Security keys and certificates provide stronger assurance, but only when issuance, revocation, and replacement are governed tightly.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | The post is fundamentally about authentication assurance and factor selection. | |
| NIST CSF 2.0 | PR.AC-7 | MFA supports stronger access control and identity verification. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust requires continuous, risk-based verification at access time. |
Align MFA strength to assurance needs and choose methods that resist phishing for high-risk access.
Key terms
- Multi-factor authentication: A login control that requires two or more different proof types before granting access. In practice, it reduces the chance that a stolen password alone becomes a compromise, but its value depends on whether the second factor is resistant to phishing, fatigue, or channel interception.
- Authenticator app: A mobile or desktop application that generates time-based codes or push approvals for login verification. It usually offers stronger assurance than SMS, but approval-based designs can be weakened by notification fatigue if users are trained to click without thinking.
- Security key: A physical possession factor, usually a hardware token, that proves access by cryptographic challenge rather than by shared secret. It is especially useful for privileged access because remote attackers cannot complete the login without the device in hand.
- Digital certificate: A cryptographic credential issued for a defined period that can be used to prove identity during authentication. It supports stronger, time-bound access control, but only when issuance, renewal, and revocation are managed as part of the identity lifecycle.
Deepen your knowledge
MFA selection, privileged access, and identity lifecycle control are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building stronger authentication policy across human and machine access, it is worth exploring.
This post draws on content published by StrongDM: 5 Types of Multi-Factor Authentication (MFA) Explained. Read the original.
Published by the NHIMG editorial team on 2025-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
