Multi Factor Authentication Methods: App, SMS, Passkeys, and Hardware Keys
Multi factor authentication is a security system that requires more than one method of authentication to verify a user’s identity before they gain access to an account, application, or system. Instead of relying on typically a password alone, multi factor authentication combines multiple authentication factors so that compromised credentials are not enough to break in.
As cyber threats continue to evolve, authentication has become the primary control point in modern cloud environments. Multi factor authentication is now a core component of secure access, identity and access management, and regulatory compliance frameworks.
This guide explains the most common MFA methods, how the authentication process works, and how we implement multifactor authentication within Microsoft 365 and Azure environments.
What Is Multi Factor Authentication?
Multi factor authentication, sometimes referred to as multifactor authentication or factor authentication, requires users to provide multiple factors from independent categories to verify the user’s identity.
The three primary authentication factors are:
Something you know, such as a password or PIN
Something you have, such as a mobile device, security token or hardware tokens
Something you are, such as biometric verification using a fingerprint scan or facial recognition
Any combination of two or more factors qualifies as multi factor authentication. Two factor authentication uses only two factors. Multi factor authentication can use additional authentication factors where risk justifies it.
By requiring multiple factors, MFA significantly reduces the risk that attackers can gain access using stolen usernames and passwords alone. This is particularly important in environments such as schools managing student data, NHS organisations handling patient records, and local authorities responsible for citizen services.
How the Authentication Process Works
When a user attempts to sign in, the authentication process typically follows these steps:
The user enters their username and password, usually the knowledge factor.
The system evaluates the login attempt, considering location, device posture, behaviour and risk signals.
If required, the system prompts for additional authentication such as a one time password, push approval, passkey verification, or hardware key interaction.
Only after successful completion of the required factor authentication steps is the user granted access.
Modern platforms such as Microsoft Entra ID support adaptive authentication and risk based authentication. This means authentication requirements can change depending on context.
In practice, we configure Conditional Access policies within Microsoft Entra ID to reflect how users actually access systems across Microsoft 365 and Azure, so authentication requirements adapt without disrupting day-to-day use.
The Main MFA Methods Explained
Organisations typically choose from several common MFA methods. Each authentication method has different strengths and trade-offs depending on user roles and risk levels.
SMS Verification and Voice Codes
SMS verification sends a one-time password to the user’s mobile phone during a login attempt. The user enters the verification codes into the sign-in page to complete authentication.
This is one of the most widely recognised MFA methods because it is easy to deploy and requires no additional app installation.
However, SMS can be vulnerable to SIM swapping and interception. If an attacker gains control of a phone number, they may intercept authentication messages. For this reason, when configuring Microsoft 365 environments, we typically restrict SMS to lower-risk scenarios or use it only as a fallback authentication method.
Authenticator Apps
An authenticator app, such as Microsoft Authenticator, generates a time-based one-time password using the TOTP standard. The code refreshes every 30 seconds and is generated locally on the user’s mobile device.
During setup, the user scans a QR code to register the app.
Benefits include:
More resistant to SIM swap attacks
Works offline
Easy deployment across Microsoft 365 users
Push notifications allow users to approve a sign-in request directly on their mobile device. For most users, we deploy Microsoft Authenticator as the standard MFA method, as it integrates directly with Entra ID and supports Conditional Access policies.
Passkeys
Passkeys are based on FIDO2 standards and represent a move towards passwordless multi factor authentication.
They combine a possession factor, the user’s device, with biometric verification or a PIN. The private key is stored securely on the device and never shared.
We implement passkeys within Microsoft environments where passwordless authentication is appropriate, particularly for administrative or high-risk accounts where phishing resistance is required.
Hardware Keys and Security Tokens
Hardware keys are physical devices that connect via USB, NFC, or Bluetooth and use cryptographic verification.
These are among the strongest MFA methods available and are typically deployed for:
administrative access
finance systems
privileged roles
Within our cloud security deployments, hardware tokens are used where stronger assurance is required, particularly in regulated environments.
What Is the Best MFA Method?
There is no single best authentication method for every organisation.
Phishing-resistant methods such as passkeys and hardware tokens provide the strongest protection. Authenticator app-based multi factor authentication offers a practical balance between security and usability.
The best approach is usually layered:
hardware tokens or passkeys for privileged users
authenticator app for general users
risk based authentication through Conditional Access
secure account recovery processes
This approach is typically implemented as part of a wider Microsoft 365 and Azure security configuration rather than as a standalone control.
How We Help Organisations Implement MFA
At ICTn, we design and implement multi factor authentication as part of a structured Microsoft cloud security strategy. We define authentication requirements based on role, risk and data sensitivity, then enforce them through Microsoft Entra ID Conditional Access, adaptive authentication and phishing-resistant MFA methods such as passkeys and hardware tokens.
We integrate multi factor authentication into our wider Cloud Managed Services framework, aligning identity protection with endpoint security, monitoring and governance across Microsoft 365, Azure and hybrid environments. This ensures access is granted based on context, device posture and real-time risk rather than static rules.
Our focus is long-term effectiveness. We secure account recovery processes, monitor authentication activity for anomalies, and continually refine policies as threats evolve so that MFA remains a resilient and reliable control.
Summary
Multi factor authentication is one of the most effective ways to reduce the risk of account compromise. By requiring multiple factors, it protects against password reuse, phishing attacks and credential theft.
Whether using an authenticator app, SMS verification, passkeys or hardware tokens, the strength of multi factor authentication depends on how it is implemented and managed.
For organisations operating in Microsoft cloud environments, ICTn provides the structure and oversight needed to implement multifactor authentication in a way that enhances security without disrupting users.
