Multi-Factor Authentication: Best Practices for 2026

MFA Is Not a Checkbox

Most organizations treat multi-factor authentication as a compliance box to check: turn it on, pick SMS, done. That's how you end up with a "protected" system that still gets breached because an attacker SIM-swapped a VP's phone number and walked straight in.

Effective MFA requires thinking about which methods you use, how you deploy them, and what happens when the usual flow breaks. The gap between "we have MFA" and "our MFA actually stops attacks" is significant — and that gap is where most compromises happen.

This guide covers what strong MFA looks like in 2026, how to choose the right method for your situation, and the deployment decisions that make the difference between security theater and real protection.

Why SMS Codes Are No Longer Enough

SMS-based one-time passwords (OTP) were the default second factor for a decade. They worked well enough when the threat model was password reuse. That era is over. Here's why:

SIM-swapping: An attacker calls your carrier, socially engineers a number transfer to a new SIM, and receives your SMS codes. This attack is well-documented, relatively cheap to execute, and has been used against thousands of individuals — from cryptocurrency holders to corporate executives. Carrier-side protections have improved but remain inconsistent.
SS7 protocol vulnerabilities: The global telecom signaling protocol (SS7) has known vulnerabilities that allow interception of SMS messages. These attacks require technical resources but are available to state-level actors and organized crime groups.
Real-time phishing proxies: Tools like Evilginx and Modlishka sit between you and the real website, relaying everything — including your SMS code — in real time. You enter your code on what looks like the real site; the proxy captures it and uses it instantly. SMS 2FA provides zero protection against this attack.
Malware-based interception: Mobile malware with SMS read permissions can silently forward incoming codes to an attacker. Android's permission model has tightened, but this remains a viable attack vector, especially with sideloaded apps.

SMS isn't worthless — it still blocks automated credential-stuffing attacks that use leaked username/password pairs. But against any targeted or semi-targeted attack, it fails. The NIST Special Publication 800-63B has flagged SMS OTP as a restricted authenticator since 2017. In 2026, the industry consensus is clear: SMS is the floor, not the ceiling.

MFA Methods Ranked by Strength

Not all second factors are equal. Here's where each method stands in terms of actual security, with honest trade-off notes:

Method	Phishing Resistant	Intercept Resistant	User Friction	Deployment Complexity	Best For
FIDO2 hardware key	Yes	Yes	Low (tap)	Moderate (key provisioning, loss management)	High-value targets, privileged accounts, admin access
Passkeys (device-bound)	Yes	Yes	Low (biometric)	Moderate (platform dependencies, sync questions)	Consumer accounts, workforce with modern devices
TOTP authenticator app	No	Yes	Low-moderate (open app, type code)	Low	Universal — works almost everywhere, easy to deploy
Push notification (with number matching)	Partially	Yes	Low (tap + verify number)	Moderate (app enrollment, device management)	Organizations using Microsoft/Okta/Duo ecosystems
Push notification (basic approve/deny)	No	Yes	Very low	Moderate	Avoid — vulnerable to MFA fatigue attacks
SMS OTP	No	No	Low	Low	Last resort when nothing else is supported
Email OTP	No	Depends on email security	Moderate (switch apps, wait for email)	Low	Temporary or low-risk accounts only

The short version: FIDO2 keys and passkeys are the strongest because they're phishing-resistant — the credential is cryptographically bound to the legitimate domain, so a fake login page can't trigger authentication. TOTP apps are the practical middle ground with the widest support. SMS should be phased out for anything you care about.

MFA Fatigue Attacks: A Growing Problem

MFA fatigue (also called "push bombing" or "prompt bombing") is a social engineering attack that targets push-based MFA. The attacker already has the victim's password (from a breach or phishing) and repeatedly triggers push notifications until the user — tired, confused, or trying to make them stop — taps "Approve."

This attack compromised major organizations in 2023–2025, including high-profile breaches where attackers combined push fatigue with social engineering (calling the victim pretending to be IT support: "We see suspicious login attempts — please approve the next prompt to secure your account").

Countermeasures:

Number matching: The login screen shows a two-digit number; the user must enter that same number in the push notification to approve. This proves the person approving actually initiated the login. Microsoft Authenticator, Okta Verify, and Duo all support this.
Rate limiting: Limit the number of push prompts per hour. After a threshold, require a different authentication method.
Anomaly alerting: Flag and investigate accounts receiving multiple denied push attempts — this is almost certainly an attack in progress.
Move to FIDO2/passkeys: Phishing-resistant methods eliminate this entire category of attack because there's no prompt to approve — the authentication is a cryptographic operation tied to the real website.

Choosing the Right MFA Method: A Decision Framework

The "best" MFA method depends on your context. Here's how to choose:

What do you need to protect? Admin/root accounts, financial systems, and identity providers warrant the strongest available method (FIDO2 or passkeys). Standard user accounts can typically use TOTP. Low-risk internal tools may be fine with push notifications (with number matching).
What devices do your users have? If everyone has a modern smartphone, authenticator apps and passkeys are viable. If you have field workers with basic phones or shared workstations, hardware keys or SMS may be the only options.
What's your recovery story? Every MFA method creates a lockout risk. How will users regain access when they lose their phone, forget their key, or get a new device? Design the recovery process before deploying MFA, not after the first support call.
What does your identity provider support? Your MFA options are limited by what your IdP (Azure AD/Entra, Okta, Google Workspace, etc.) supports. Check supported methods before making promises.

Deployment Best Practices

Rolling out MFA across an organization is as much a change management problem as a technical one. Here's what works:

Start with Privileged Accounts

Enforce the strongest MFA (FIDO2 hardware keys or passkeys) on admin accounts, IT staff, and anyone with elevated access first. These accounts are the primary targets for attackers and the highest-impact if compromised. Don't wait for an organization-wide rollout — protect these immediately.

Communicate Before Mandating

Announce MFA requirements with enough lead time for people to set up. Provide clear instructions for each supported method. Run enrollment sessions (virtual or in-person) where people can ask questions. Users who are surprised by a new login requirement will flood your help desk and bypass the system where possible.

Offer Multiple Methods (with a Minimum)

Let users choose between approved methods — for example, TOTP app or hardware key — but set a floor. "Any MFA except SMS" is a reasonable minimum for most organizations in 2026. Flexibility improves adoption; no minimum undermines security.

Require Backup Methods at Enrollment

When a user enrolls their primary MFA, require them to also register a backup — a second hardware key, backup codes printed and stored, or an alternative phone number (yes, SMS as a backup-only method is a reasonable compromise). The enrollment workflow should not complete until a backup is registered.

Plan for Day-One Lockouts

No matter how well you communicate, some users will show up on mandate day unable to log in. Have a staffed help desk process with identity verification steps ready. Temporary bypass codes (with automatic expiry) can unblock people without undermining the system — as long as bypasses are logged and reviewed.

MFA for Personal Accounts: A Priority Checklist

If you're securing your own accounts (not deploying for an organization), focus your effort where it matters most:

Primary email — This is the master key. Password resets for every other account go here. Use the strongest MFA available (FIDO2 key or passkey). Gmail, Outlook, and Proton Mail all support advanced options.
Password manager — If your vault is compromised, everything is compromised. Use a strong master password plus TOTP or hardware key. Bitwarden, 1Password, and KeePassXC all support 2FA on vault access.
Financial accounts — Banking, investment, and payment services. Use whatever is the strongest method they support (often TOTP; some banks now support FIDO2).
Cloud storage — Google Drive, Dropbox, OneDrive, iCloud. These contain documents, photos, and data that enables further compromise if leaked.
Social media and professional profiles — LinkedIn, GitHub, X. Account takeover here causes reputational damage and can be used for social engineering attacks on your contacts.
Recovery email and phone — The accounts used for recovery of your primary accounts are themselves high-value targets. Secure them with MFA too.

Real-World Tradeoffs You'll Face

Security guides often ignore the messy realities. Here are the tradeoffs you'll actually encounter:

"Our users won't carry hardware keys." Probably true for most. TOTP apps on phones are the pragmatic alternative. Reserve hardware keys for high-privilege accounts where you can mandate it.
"We can't disable SMS because some services only offer SMS." Accept this for those specific services but don't let it set the standard. Use TOTP or better everywhere it's supported; SMS only where there's literally no other option.
"People keep losing their phones." This is why backup methods and recovery processes matter. Requiring a second method at enrollment (backup codes, secondary device) prevents phone loss from becoming an emergency.
"Executives don't want the friction." Executives are the most targeted individuals in any organization. If they refuse MFA, they're the biggest security liability. Frame it as risk management, not IT policy. Passkeys with biometric unlock offer a good compromise — the friction is a fingerprint tap.
"We already have SSO — do we need MFA?" Yes. SSO centralizes authentication, which means a compromised SSO account gives access to everything. MFA on the SSO provider is the most critical single deployment. SSO without MFA is a bigger risk than no SSO at all.

Monitoring and Maintaining MFA

Deploying MFA isn't a one-time project. Ongoing operations matter:

Review MFA enrollment coverage monthly. New hires, role changes, and account migrations create gaps. Dashboard reporting from your IdP should show enrollment rates by group.
Audit bypass and exception usage. Temporary bypasses that become permanent are a common backdoor. Set automated expiry and review logs for any bypass older than 48 hours.
Monitor for anomalous MFA patterns. Multiple failed MFA attempts, MFA from unusual locations, or a sudden change in the registered device — these are signals worth investigating.
Update methods as support improves. A service that only offered SMS last year might support TOTP or FIDO2 now. Periodically check and upgrade where possible.
Test your recovery process. Quarterly, have someone simulate a lost device and walk through recovery. If it takes three days and four support tickets, your process needs work.

Verifying MFA App Downloads

Your authenticator app handles the keys to your digital life. A compromised or counterfeit authenticator app is a nightmare scenario — it could silently exfiltrate your TOTP secrets. Always download from official app stores or vendor websites, and verify checksums when installing desktop applications. Our software download safety guide covers the verification process in detail.

Related Resources

Software Download Safety — how to verify that the software you install is legitimate
Downloads — software we host with verification information
Téléchargement — section de téléchargement en français