MFA factor comparison — phishing-resistance scoring

askmeidentity · MFA factors · 2026-05-22

MFA factor comparison — phishing-resistance scoring

A printable single-page comparison of MFA factors — passkeys, hardware tokens, push, OTP, SMS, voice — scored on phishing-resistance, user friction, deployment cost, and whether auditors accept them as "strong" auth.

Scoring legend

Phishing-resistance: ★★★★★ = fully phishing-resistant (cannot be relayed); ★ = trivially phishable
Friction: ★ = instant + invisible; ★★★★★ = requires deliberate user action with physical device
Cost: ★ = free / included with platform; ★★★★★ = high per-user hardware cost
Auditor acceptance: ★★★★★ = accepted at all AAL levels; ★ = below baseline for any modern AAL

Phishing-resistant factors

FIDO2 security key (YubiKey, Feitian)	Phish ★★★★★ · Friction ★★★ · Cost ★★★★ · Audit ★★★★★
Platform passkey (Touch ID, Windows Hello, Android)	Phish ★★★★★ · Friction ★ · Cost ★ · Audit ★★★★★
PIV / CAC smart card	Phish ★★★★★ · Friction ★★★★ · Cost ★★★★ · Audit ★★★★★ (federal baseline)
Cert-based (mTLS)	Phish ★★★★★ · Friction ★★ · Cost ★★★ · Audit ★★★★★

Strong but phishable factors

Microsoft Authenticator / Okta Verify push + number match	Phish ★★★ · Friction ★★ · Cost ★ · Audit ★★★★
TOTP / HOTP (Google Authenticator)	Phish ★★ · Friction ★★ · Cost ★ · Audit ★★★★
OATH OTP hardware token (RSA SecurID, YubiKey OTP)	Phish ★★ · Friction ★★★ · Cost ★★★★ · Audit ★★★★
Risk-based (Conditional Access — device + geo + behavior)	Phish ★★★ · Friction ★ · Cost ★★ · Audit ★★★ (as 2nd factor, not 1st)

Weak factors (avoid for new programs)

Push notification (no number match)	Phish ★ · Friction ★ · Cost ★ · Audit ★★ (vulnerable to MFA fatigue)
SMS / voice OTP	Phish ★ · Friction ★★ · Cost ★★ · Audit ★ (NIST deprecates for restricted use)
Email magic link	Phish ★ · Friction ★★ · Cost ★ · Audit ★ (only as good as the email account)
Security questions / KBA	Phish ★ · Friction ★★★ · Cost ★ · Audit ★ (NIST advises against)

AAL mapping (NIST 800-63B)

AAL1	Single factor	Any reasonable factor
AAL2	Two factors	Resistant to phishing for primary auth (push + number match acceptable)
AAL3	Hardware crypto authenticator	FIDO2 / smart card / PIV — phishing-resistant required

Decision rules

Privileged users: AAL3 — FIDO2 or PIV only. No exceptions.
Regular workforce: AAL2 minimum — push with number match acceptable for now, FIDO2 / passkeys for greenfield.
External / customers: passkeys are the new default. OTP / SMS only as fallback during rollout.
Help-desk MFA reset is the social-engineering vector. Tighten that workflow even if the factors are strong.

askmeidentity · MFA factors · 2026-05-22

MFA factor comparison — phishing-resistance scoring

Scoring legend

Phishing-resistance: ★★★★★ = fully phishing-resistant (cannot be relayed); ★ = trivially phishable
Friction: ★ = instant + invisible; ★★★★★ = requires deliberate user action with physical device
Cost: ★ = free / included with platform; ★★★★★ = high per-user hardware cost
Auditor acceptance: ★★★★★ = accepted at all AAL levels; ★ = below baseline for any modern AAL

Phishing-resistant factors

FIDO2 security key (YubiKey, Feitian)	Phish ★★★★★ · Friction ★★★ · Cost ★★★★ · Audit ★★★★★
Platform passkey (Touch ID, Windows Hello, Android)	Phish ★★★★★ · Friction ★ · Cost ★ · Audit ★★★★★
PIV / CAC smart card	Phish ★★★★★ · Friction ★★★★ · Cost ★★★★ · Audit ★★★★★ (federal baseline)
Cert-based (mTLS)	Phish ★★★★★ · Friction ★★ · Cost ★★★ · Audit ★★★★★

Strong but phishable factors

Microsoft Authenticator / Okta Verify push + number match	Phish ★★★ · Friction ★★ · Cost ★ · Audit ★★★★
TOTP / HOTP (Google Authenticator)	Phish ★★ · Friction ★★ · Cost ★ · Audit ★★★★
OATH OTP hardware token (RSA SecurID, YubiKey OTP)	Phish ★★ · Friction ★★★ · Cost ★★★★ · Audit ★★★★
Risk-based (Conditional Access — device + geo + behavior)	Phish ★★★ · Friction ★ · Cost ★★ · Audit ★★★ (as 2nd factor, not 1st)

Weak factors (avoid for new programs)

Push notification (no number match)	Phish ★ · Friction ★ · Cost ★ · Audit ★★ (vulnerable to MFA fatigue)
SMS / voice OTP	Phish ★ · Friction ★★ · Cost ★★ · Audit ★ (NIST deprecates for restricted use)
Email magic link	Phish ★ · Friction ★★ · Cost ★ · Audit ★ (only as good as the email account)
Security questions / KBA	Phish ★ · Friction ★★★ · Cost ★ · Audit ★ (NIST advises against)

AAL mapping (NIST 800-63B)

AAL1	Single factor	Any reasonable factor
AAL2	Two factors	Resistant to phishing for primary auth (push + number match acceptable)
AAL3	Hardware crypto authenticator	FIDO2 / smart card / PIV — phishing-resistant required

Decision rules

Privileged users: AAL3 — FIDO2 or PIV only. No exceptions.
Regular workforce: AAL2 minimum — push with number match acceptable for now, FIDO2 / passkeys for greenfield.
External / customers: passkeys are the new default. OTP / SMS only as fallback during rollout.
Help-desk MFA reset is the social-engineering vector. Tighten that workflow even if the factors are strong.

MFA factor comparison — phishing-resistance scoring

MFA factor comparison — phishing-resistance scoring

Scoring legend

Phishing-resistant factors

Strong but phishable factors

Weak factors (avoid for new programs)

AAL mapping (NIST 800-63B)

Decision rules

All printable references in one place.

MFA factor comparison — phishing-resistance scoring

MFA factor comparison — phishing-resistance scoring

Scoring legend

Phishing-resistant factors

Strong but phishable factors

Weak factors (avoid for new programs)

AAL mapping (NIST 800-63B)

Decision rules

All printable references in one place.