After this lesson, you will be able to: Compare MFA methods (TOTP, SMS, push, hardware keys), and identify the realistic attacks against each.
Multi-factor authentication is the single biggest defense upgrade most accounts can make. But not all MFA is equal. SMS is far weaker than a hardware key. This lesson breaks down each method and the attacks they do (and don't) stop.
Authentication factors fall into three categories: something you know (a password, PIN), something you have (a phone, hardware key), and something you are (fingerprint, face). MFA combines two or more factors of different types. Two passwords aren't MFA, they're both 'know' factors.
Time-based One-Time Password apps (Google Authenticator, Authy, 1Password) generate a six-digit code every 30 seconds based on a shared secret and the current time. TOTP is offline, free, and resistant to most attacks. It's the recommended baseline for any account that supports it.
A physical USB or NFC key (YubiKey, Google Titan) that performs a cryptographic challenge. Hardware keys are phishing-resistant, they verify the website's domain before responding, so a fake login page gets nothing. Required for high-value targets; strongly recommended for everyone running anything important.
Push-fatigue attacks: spam approval requests until the user taps Allow out of frustration. Adversary-in-the-middle (AiTM) phishing: capture the session cookie after the user completes MFA on a fake site. MFA-bombing combined with social engineering still works against many users, defense is to enforce phishing-resistant MFA wherever possible.
Think about which method survives phishing, push-fatigue, and SIM-swap attacks.
Sign in and purchase access to unlock this lesson.