Child pages
  • MFA Technologies, Threats, and Usage

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


AuthN Type NumberAuthentication FactorResistance to Threat
  (Phishing, etc.)
Theft via Dynamic MITM  PhishingGuessing / Offline CrackingMFA Device
User Workstation Compromise
2Phone call - See Voice Requirements note 1LowLowHighLowHigh
3Phone call (VoIP) See Additional
 VoIP Restrictions, note 2
5SMS (VoIP) See VoIP restrictions, note 2LowLowMediumLowHigh
6HOTP cell phone software see notes 1 ,and 3MediumLowHighMediumHigh
7TOTP cell phone software 1,see notes1 and 3MediumLowHighMediumHigh
8HOTP tokenMediumLowHighHighHigh
9TOTP tokenMediumLowHighHighHigh
10HOTP written (back up codes)LowLowHighHighLow
11DUO Push see note 3HighLowHighMediumHigh
12FIDO U2F token with passwordHighHighHighHighHigh
13PKI device certificate with
  device password
14PKI token certificate with token


  1. Voice Restrictions: Institutions deploying a phone call based solution for one of their authentication factors must incorporate multi-factor authentication concepts into their security awareness training.  Specifically, a prohibition on configuring voicemail greetings to respond to MFA prompts must be in-place and discussed in training.  Training should also include the prohibition against using Enterprise passwords on personal devices.
  2. Additional VoIP Restrictions: The use of VoIP systems (or traditional PBX solutions) that use the Enterprise password for call control or call redirection may not be used.  The creators of this document note that accessibility needs can often be addressed using a hardware token instead of a voice-based solution.

  3. Campus deployers should pay careful attention to cell phone security.  Some data sources report that the majority of Android devices are not updated and are thus highly vulnerable.  Some vendors have the ability to restrict MFA use to fully patched cell phones.  This table assumes that cell phones used for MFA are receiving software updates.


ItemMFA Type Number(s)
from Table 1
Standard MFA Profile (anti-phish - replace
Stronger MFA Profile (could
  support a stronger LoA)
11 plus any one of 2-14Yesn/a - see below
51 and plus any one of 12-14YesYes