Notifications
Clear all
Topic starter
08/06/2026 5:00 pm
TL;DR: Passwords are no longer enough, and five MFA types show why stronger factors such as security keys, biometrics, and certificates materially reduce compromise risk, according to StrongDM. The harder question is governance: identity controls must match the actor, access duration, and operational risk, not just add another login step.
NHIMG editorial — based on content published by StrongDM: 5 Types of Multi-Factor Authentication (MFA) Explained
By the numbers:
- The average data breach cost grew by 10% to $4.88 million in 2024, according to IBM.
- MFA can reduce the likelihood of user account compromise by nearly 99%, according to the article's cited research.
- Researchers at Microsoft cited in the article found that MFA can safeguard user credentials by up to 98.56%.
Questions worth separating out
Q: How should security teams choose between SMS MFA, authenticator apps, and security keys?
A: Start with the sensitivity of the system and the attack paths you most need to stop.
Q: Why do stronger MFA methods matter for privileged access?
A: Privileged accounts create a much larger blast radius if compromised, so the second factor must resist phishing, replay, and prompt abuse.
Q: What do organisations get wrong about MFA fatigue?
A: They treat MFA fatigue as a user annoyance instead of an attacker tactic.
Practitioner guidance
- Match MFA strength to access risk Use weak factors only where the business impact of compromise is limited, and reserve security keys or certificates for administrative, regulated, or high-value access paths.
- Replace blind push approval where fatigue is likely Where authenticator apps are in use, prefer rolling codes or number matching instead of one-tap prompts that users can approve under pressure.
- Treat certificates as lifecycle objects Track certificate issuance, renewal, expiry, and revocation as governance events, with ownership assigned before access is granted and again when access should end.
What's in the full article
StrongDM's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step comparisons of SMS, authenticator, biometric, security key, and certificate deployment trade-offs.
- Practical guidance on choosing MFA methods for finance, healthcare, and other regulated environments.
- Implementation considerations for Zero Trust PAM platforms that manage strong authentication at scale.
👉 Read StrongDM's guide to the five MFA types and their security trade-offs →
MFA types and the governance gap teams still miss?
Explore further
08/06/2026 6:56 pm
Passwords plus weak second factors are no longer a credible security boundary. The article reinforces a long-standing identity problem: once credentials are phished, reused, or socially engineered, the first factor collapses. MFA changes attacker economics, but only the stronger methods materially shift risk for sensitive access. For practitioners, the lesson is that authentication strength must track the value of the target, not the convenience of rollout.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who should use digital certificates instead of simpler MFA methods?
A: Digital certificates fit organisations that need time-bounded access, tighter lifecycle control, and stronger assurance than SMS or app-based prompts can provide. They are most useful where access must expire predictably and revocation must be governed carefully. That makes them a strong choice for temporary workers, high-risk systems, and controlled enterprise environments.
👉 Read our full editorial: Multi-factor authentication types show where passwords still fail
