Why SMS OTP Is Not Enough: MFA Methods Ranked by Security
Multi-factor authentication (MFA) is the single most effective control against account takeover. Microsoft reports that MFA blocks 99.9% of automated credential-stuffing attacks. But not all MFA methods are equal — some are trivially bypassable by a motivated attacker.
This guide ranks every common MFA method and tells you which to use in which scenario.
How Account Takeover Works Without MFA
- Attacker buys a credential dump (username + password list) on the dark web
- Runs automated tool against your login page (credential stuffing)
- Finds valid credentials and logs in
- Game over
With MFA, step 3 is blocked — the attacker needs the second factor too.
MFA Methods Ranked (Weakest to Strongest)
Tier 5 — Email OTP
How it works: One-time code sent to your email. Weakness: If your email is compromised (which often happens first), this provides zero additional protection. An attacker who has your password likely has your email too. Use for: Low-value services only. Never for email itself.
Tier 4 — SMS OTP
How it works: 6-digit code sent via text message. Weaknesses:
- SIM Swapping: Attacker contacts your mobile carrier, social-engineers them into porting your number to a new SIM. The attacker now receives all your SMS messages.
- SS7 Attacks: Nation-state actors and well-resourced criminals can intercept SMS messages via flaws in the SS7 telecommunications protocol.
- Real-time Phishing: Attacker creates a convincing phishing site, user enters credentials, site proxies the login and prompts user for the SMS OTP in real-time.
Indian context: SIM swapping is common in India, with multiple high-profile cases involving banking fraud via OTP interception.
Use for: Consumer-facing apps where TOTP is not feasible. Better than nothing.
Tier 3 — TOTP (Time-Based One-Time Password)
How it works: A 6-digit code generated by an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) that changes every 30 seconds. Weaknesses:
- Real-time phishing still works: If user is phished and enters the TOTP on a fake site, the attacker immediately uses it (within 30 seconds) on the real site.
- Malware: If your phone is compromised, so is the TOTP seed.
Strengths: Immune to SIM swapping and SS7 attacks.
Use for: All business accounts that support it. Significantly better than SMS.
Tier 2 — Push Notification MFA (Authenticator App)
How it works: Login attempt triggers a push notification to your phone with "Approve" / "Deny" buttons. Weakness: MFA fatigue attacks — attacker bombards user with push notifications until the user approves one to stop the noise. This attack was used in the Uber breach of 2022. Mitigation: Use number-matching push (user must match a number shown on screen before approving).
Use for: Standard enterprise MFA. Microsoft Authenticator and Okta Verify both support number-matching.
Tier 1 — FIDO2 / WebAuthn / Passkeys (Strongest)
How it works: Uses public-key cryptography. A private key stored on your device (or hardware token) proves your identity. The server never receives your credential. Strengths:
- Phishing-resistant by design: The key is bound to the origin (domain). A phishing site at
micrsoft.comcannot receive a credential intended formicrosoft.com. - Immune to real-time phishing, SIM swapping, SS7 attacks, and MFA fatigue.
- No shared secret: Nothing stored server-side that can be stolen in a breach.
Options:
- Hardware tokens: YubiKey 5 (₹4,000–₹8,000), Google Titan Key
- Passkeys: Built into Windows Hello, Apple Touch ID, Android fingerprint — increasingly supported by Google, GitHub, and major services
Use for: Privileged accounts, developers, finance team, executives. Any account where a breach would be catastrophic.
Recommended MFA Strategy by Role
| Role | Minimum MFA | Recommended |
|---|---|---|
| General employee | SMS OTP | TOTP or Passkey |
| Finance / HR | TOTP | Hardware token (YubiKey) |
| IT admin / Developer | TOTP with number matching | YubiKey |
| C-suite | TOTP | YubiKey + approved device policy |
| Customer accounts | SMS OTP | TOTP option available |
Implementing MFA for AWS
# Enforce MFA via IAM policy condition
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
},
"StringNotEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
For production AWS accounts, mandate hardware MFA (YubiKey or AWS-compatible virtual MFA) for all IAM users with console access.
Start with TOTP everywhere today, and migrate privileged accounts to FIDO2 passkeys over the next quarter. Contact BXIM for help implementing enterprise MFA.