Skip to content

What are the different types of MFA?

Meredith Kreisa headshot
Meredith Kreisa|November 7, 2023
Dog drooling while reading content on laptop
Dog drooling while reading content on laptop

Multifactor authentication (MFA) is a log-in process that incorporates several steps for identity verification. Traditionally, a password is the primary form of authentication with additional MFA methods for added security. 

But you shouldn’t just incorporate the first MFA solution you find and cross your fingers that it works. Before implementing MFA, weigh which MFA method is best for your business. We’ll break down common types of MFA — and their pros and cons — to help you refine your user authentication process. 


Knowledge-based MFA asks the user for something they know. Passwords fall into this category, but they’re not the only options.

Pattern-based authentication 

Pattern-based authentication (PBA) involves drawing a personal identification pattern (PIP) on a grid. Each block of the grid contains random characters. Selecting the predetermined PIP effectively produces a time-based one-time password (TOTP).

Users may love PBA because it’s easy to remember a PIP. That said, to be secure, the pattern must be difficult to guess — no tic-tac-toe-style nonsense. 

Security question 

With this authentication factor, users preselect one or more questions and input their answers. After entering their login credentials, users are then prompted to answer at least one of these questions correctly. 

While security questions are usually easy for users, they’re also quite easy for hackers. Threat actors can often guess answers or just find them on those handy getting-to-know-you surveys all over social media. So if you’re looking to only slightly inconvenience cybercriminals, this is the MFA method for you. 


A possession factor relies on something the user has physical access to in order to confirm their identity. 


SMS-based MFA sends a text with a time-based one-time password to the user’s phone. By entering the TOTP, the user is essentially confirming that they are in possession of the phone associated with the account, thereby verifying their identity.

Most of us are always within arm’s length of our phones, so SMS authentication is incredibly convenient for users. However, SIM swapping, SIM hacking, and lost or stolen devices pose significant cybersecurity risks. In addition, social engineering attempts may convince users to just hand over their TOTP codes. And if any of your users pay per incoming SMS (apparently that’s still a thing), they might get pretty annoyed with the constant charges.

Phone call or email 

Just as you can receive TOTPs via SMS, you can also get them the old-fashioned way: by phone call or email. While these options are generally considered more secure than SMS, they still have their drawbacks. Phone-based TOTPs for MFA can fall victim to SIM swapping (and incur call charges for your users), while email account compromise could also allow cybercriminals to intercept TOTPs.

And, as always, social engineering poses a threat, especially to your most gullible users.

Authentication app 

Once an authentication app is linked to an account and installed on the user’s mobile device, they receive a push notification or a time-based one-time password when they attempt to log in.

Common authentication apps include the following:

  • Google Authenticator 

  • Microsoft Authenticator 

  • Duo Security 

While authenticator apps are generally considered more secure than most other TOTP options, such as SMS, phone calls, or emails, they still have their drawbacks. For instance, you should remind users to save their recovery codes during setup to prevent headaches if they ever lose app access. 

Hardware token 

Hardware tokens are devices used specifically for authentication. They’re often popular in the most high-security settings, such as financial institutions and government agencies. 

Smart card 

A smart card is a physical security token in the form of a card with an embedded chip that stores cryptographic keys. The company issues a smart card linked to the user’s identity, which they then scan via a card reader to access a workstation.

While this MFA method is generally considered highly secure, it’s usually reserved for organizations needing next-level security. The cost of issuing and maintaining smart cards, smart card readers, and the associated software is usually too steep for most businesses.

Key fob 

Key fobs are small devices that fit on a keychain. They have a small screen that generates a time-based one-time password when you press a button. While convenient and portable, they serve the single purpose of generating TOTPs. No multitasking here. Plus, some key fobs rely on replaceable batteries, so you may have to perform ongoing maintenance. 

USB token 

USB tokens store private keys and digital certificates. A user typically connects a USB token to a computer’s USB port and enters a pin to authenticate.

The main drawback is that not all devices have a USB port. That means that users who rely on USB tokens for authentication may be out of luck if a device lacks a port. The risk of loss or theft is also higher than some forms of MFA. Plus, the associated costs can add up.


Inherence-based MFA relies on the user’s personal traits to confirm their identity. 

Biometric authentication 

Biometric authentication relies on the user’s unique biological traits. This type of authentication can take several forms:

  • Fingerprint scan 

  • Facial recognition 

  • Voice recognition 

  • Iris scan 

  • Retina scan 

  • Palm or finger vein pattern recognition 

Some users embrace biometric authentication for one simple reason: It’s easy. But others may push back at the thought of their company tracking their biometric data, which can come across as an invasion of privacy teetering on Orwellian. Additionally, biometrics are historically biased toward white males since this is the demographic traditionally used for programming. Other demographics may experience reduced identification accuracy for voice and facial recognition.

And while biometrics are challenging to replicate or steal, they’re not impossible to compromise. That said, biometrics are often considered more secure than passwords, so they may be worthwhile for MFA if you have the budget and user buy-in. 

Behavioral analysis 

Behavior analysis uses machine learning to create user profiles based on established patterns, such as keystrokes, mouse movements, typing speed, and swiping habits. Basically, it’s a form of adaptive authentication (more on that fun term later). Once the system knows the user’s behavior, it can continuously monitor behavior against the established profile to grant access if it verifies the user’s identity.

Because users don’t have to keep authenticating, they save time. However, behavioral analysis is also quite secure since the authentication is continuous and a user’s behavior is hard to replicate. That said, users may lose access to resources if their patterns change (e.g., they sustain a life-threatening paper cut). Additionally, some folks are pretty creeped out by their employer documenting their behaviors in excruciating detail.


What is MFA?

MFA is an authentication method that prompts users to input at least one extra form of authentication in addition to their password. The idea is that passwords are frequently compromised. Additional authentication methods are much harder for cybercriminals to hack.

What’s the difference between MFA vs. 2FA? 

While MFA incorporates two or more authentication factors, two-factor authentication (2FA) incorporates exactly two. 

How do I choose the best type of MFA? 

Choose the MFA method based on your business needs. For each platform for which you use MFA, consider the following: 

  • Security risks 

  • Convenience 

  • Compliance 

  • Cost 

  • Scalability 

  • Reliability 

  • Your technical capabilities 

What is adaptive authentication?

Adaptive authentication dynamically adjusts requirements based on context. For instance, if a user’s typing speed increases significantly overnight, adaptive authentication may require more forms of authentication than usual to verify that it’s really them and not a nimble-fingered imposter.

The following factors may influence authentication methods for adaptive MFA: 

  • User location 

  • IP address 

  • Device trustworthiness 

  • Day of the week 

  • Time of day 

  • User behavior 

  • Anomaly detection 

MFA and patch management may not seem like closely related topics. And that’s because they aren’t. But they are distant cousins twice removed that both enhance your security posture. So while implementing MFA is critical to protecting your environment, don’t overlook its better-looking cousin, patch management. Effective patch management keeps machines up to date and less susceptible to the latest vulnerabilities. 

And with PDQ, patch management can be one of the easiest parts of your job. (Not counting those rare moments alone in the breakroom with only your thoughts and a fridge full of coworkers’ lunches.) Sign up for a free trial and savor the taste of success. 

Meredith Kreisa headshot
Meredith Kreisa

Meredith gets her kicks diving into the depths of IT lore and checking her internet speed incessantly. When she's not spending quality time behind a computer screen, she's probably curled up under a blanket, silently contemplating the efficacy of napping.

Related articles