What’s the Difference Between Multi-Factor Authentication Options? (SMS, App, Security Key)

What's the Difference Between Multi-Factor Authentication Options? (SMS, App, Security Key)

Cloud adoption is nearly complete in Canada, with 92% of all businesses here using public cloud services. Cloud-based tools have become indispensable during the pandemic because they make business processes and data available from anywhere.

But with the flexibility of the cloud services also comes new security challenges. One of the biggest dangers with online environments is password breaches. All too often business SaaS tools (Microsoft 365, Google Workspace, Salesforce, etc.) are only protected by user passwords, and unfortunately, people often adopt poor password habits.

Some of these bad habits that put company cloud accounts at risk are:

  • Reusing passwords across multiple accounts
  • Never changing passwords
  • Using weak passwords
  • Storing passwords in non-secure ways
  • Emailing or texting passwords

It only takes a hacker an average of 10 minutes to hack an all-lowercase password that is 6 characters long.

One breach of a cloud account can lead to a ransomware infection, data breach, having email compromised, and more. The best way to protect cloud accounts is by applying multi-factor authentication (MFA), which can be up to 100% effective at blocking fraudulent sign-in attempts, even if the hacker has the password. 

Comparing Different Forms of MFA

MFA is one of those “must-have” security best practices in a cloud environment. Part of the process of implementing multi-factor authentication is understanding how the methods of MFA differ in convenience and security.

Companies often need to balance user convenience and data security needs, because if a new security process is too time consuming for employees, they’ll be resistant to using it. However, there is certain information that may require more security, such as the login to an online banking account.

Knowing the differences between MFA methods can help you choose the best method according to account sensitivity and team workflow. Here’s an overview of the three main methods.

Receiving the MFA Code by Text/SMS

The most common method and one many people use for their personal cloud accounts is to receive the multi-factor authentication code by text message to a specific cell phone number.

This is also the most convenient method for users because there’s no app to download, and people are used to getting text messages on their phones, so there’s not much of a learning curve.

However, because malware can be used to clone sim cards, this method is slightly riskier than the other two. If a hacker was able to clone the sim card for a phone or if a user failed to change the MFA prompt before recycling their mobile number, an account could be compromised.

In a study on MFA cited by Google, receiving the MFA code by text was between 76% – 100% effective at blocking hackers, depending upon the attack method used. 

Study on MFA effectiveness by Google

Receiving the MFA Code by On-Device Prompt

The next most common method of receiving the MFA code is from an on-device prompt through a multi-factor authentication app. This form is more secure because the receipt of the code isn’t tied to the mobile phone number.

It does involve downloading an app and then connecting the app to the cloud services being used with MFA, so there is slightly more setup involved and users may have to learn how to use the app. But this form is also very convenient for users.

In the Google MFA study, receiving the code by on-device prompt was between 90% – 100% effective at blocking fraudulent sign-in attempts.

Using a Security Key to Authenticate MFA

The most secure method of MFA is using a security key to authenticate the login code. In this case, the company would purchase a small “key” for each employee that would be inserted into their computer or mobile device to authenticate the login.

This form of multi-factor authentication is more expensive than the others because a physical device key needs to be purchased. Just like with an authentication app, the key needs to be set up with each cloud account.

This method is the least convenient because users need to carry around a small key. These come in all sizes, with some the size of a USB drive, and others just a fraction of that size. This could lead to keys getting lost, causing login problems while the issue was sorted out.

However, because this method is 100% effective at all three attack types that the Google study looked at, it’s an excellent option to use for the most sensitive accounts your company has, such as any dealing with banking, accounting, or highly confidential information. 

Get Help Implementing the Best MFA Process for Your Team

Dynamix Solutions can help your Toronto or Calgary business choose and deploy the best MFA solution for your team and account security. We can also introduce single sign-on (SSO) to make logins take less time. 

Contact us today to schedule a consultation! Call Toll Free: 1 (855) 405-1087 or reach out online.