Passwords alone are dead. We've known this for years — but the uncomfortable truth is that simply turning on two-factor authentication isn't enough either. The type of MFA your business uses determines whether you're actually protected or just checking a compliance box.
This month I want to break down the most common forms of multi-factor authentication, explain what makes each one strong or weak, and give you a clear answer on what Gulf Coast businesses should actually be using in 2026.
What Is Multi-Factor Authentication?
Authentication is the process of proving you are who you say you are. Traditional authentication relies on a single factor: something you know — your password. Multi-factor authentication adds one or more additional factors from two other categories: something you have (a phone, a hardware key) or something you are (a fingerprint, face ID).
The logic is simple: even if a hacker steals your password, they still can't get in without that second factor. At least, that's the theory. The reality depends entirely on which second factor you're using.
Something you know — password, PIN, security question
Something you have — phone, hardware key, smart card
Something you are — fingerprint, face scan, retina
The Four Main Types — Ranked
Here's an honest look at each authentication method your team is likely encountering, from weakest to strongest.
SMS Text Codes
A six-digit code sent to your phone via text message. Widely used, easy to set up, and deeply flawed. Attackers can intercept SMS codes through SIM swapping — calling your carrier and convincing them to transfer your number to their device. Takes less than 30 minutes for a determined attacker.
Email-Based Codes
A code sent to your email inbox. Same basic concept as SMS, but now your security chain runs through your email account. If that account is compromised, everything behind it falls. Common in smaller web apps but not recommended for critical systems.
Authenticator Apps (TOTP)
Apps like Microsoft Authenticator, Google Authenticator, and Authy generate time-based one-time passwords (TOTP) that refresh every 30 seconds. These codes are generated locally on your device and never transmitted over a network, making SIM swapping useless against them. Still vulnerable to real-time phishing if someone tricks you into entering the code on a fake site.
Hardware Keys & Passkeys
Physical security keys (like YubiKey) and passkeys use cryptographic authentication tied to a specific website. They are phishing-proof by design — a fake login page cannot intercept them because the cryptographic handshake verifies the real domain. Passkeys are the consumer-friendly version, built into modern phones and browsers.
The SIM Swap Problem — Why SMS MFA Fails
SIM swapping is the attack that catches most small businesses off guard because it exploits something outside their control entirely: your cell carrier's customer service process. An attacker calls your carrier, claims to be you, says they got a new phone, and asks to transfer your number. With basic personal information — often available from a data breach or LinkedIn — they can pull this off.
Once they have your number, every SMS code sent to "you" goes to them. They can reset passwords, bypass MFA, and be inside your Microsoft 365 environment before your morning coffee is done.
I've seen this happen to business owners on the Gulf Coast. A compromised Microsoft 365 account doesn't just expose email — it exposes SharePoint files, OneDrive documents, Teams conversations, and every connected app with single sign-on. One account, everything.
Why Authenticator Apps Are the Right Baseline
Time-based one-time passwords generated by an authenticator app are the right call for most small and mid-size businesses right now. Here's why they work so well in practice:
No network required. The code is generated mathematically on your device using a shared secret and the current time. There's nothing to intercept in transit because nothing is transmitted.
Easy to deploy. Microsoft Authenticator integrates directly with Azure AD and Microsoft 365 Conditional Access policies. You can require it for all users in your tenant from the admin center — no third-party software needed.
Number matching and additional context. Microsoft Authenticator now supports number matching (you enter a number shown on the login screen into the app, defeating MFA fatigue attacks) and location context (shows you where the login is coming from). These features close the main gap authenticator apps had.
The one remaining weakness is real-time phishing — an attacker creates a fake Microsoft login page, you enter your credentials, they relay them to the real Microsoft site, and then prompt you for the MFA code in real time. This is called an adversary-in-the-middle (AiTM) attack. It's sophisticated, but it exists, which is why we still recommend hardware keys for high-value accounts.
Hardware Keys and Passkeys — The Gold Standard
A hardware security key like a YubiKey is a small USB or NFC device that you plug in or tap to authenticate. Under the hood it uses the FIDO2/WebAuthn standard, which performs a cryptographic challenge-response tied to the specific domain you're logging into. A fake site gets a response for a fake domain — useless to the attacker.
Passkeys bring this same cryptographic model to your phone or laptop's built-in security chip (Face ID, Touch ID, Windows Hello). When you register a passkey with a site, your device generates a key pair — the private key never leaves your device. To authenticate, you biometrically unlock the private key and it signs the challenge. No password, no code, no phishing surface.
Microsoft 365, Google Workspace, and most major enterprise platforms support FIDO2 keys today. For any account with admin privileges, billing access, or sensitive data, hardware keys should be mandatory — not optional.
MFA Fatigue — The Attack You Haven't Heard Of
There's a newer attack worth knowing about: MFA push fatigue. If you're using push notification MFA (tap Approve/Deny on your phone), an attacker who has your password can simply spam your phone with approval requests until you accidentally or frustratedly tap Approve.
This is how Uber was breached in 2022. An attacker obtained credentials, bombarded a contractor with MFA push notifications late at night, then messaged them on WhatsApp pretending to be IT support, and the contractor approved the request.
The fix: enable number matching in Microsoft Authenticator (now on by default in most tenants), and consider switching high-privilege accounts to FIDO2 keys where push notifications aren't involved at all.
What MTDS Recommends for Gulf Coast Businesses
Here's the practical breakdown based on account type:
Standard employee accounts — Microsoft Authenticator with number matching enabled. Configure this through Azure AD Conditional Access to require MFA for all sign-ins, including from inside the office.
Admin and IT accounts — FIDO2 hardware key (YubiKey 5 Series, around $50–$70 each) as the primary factor. Passwordless where possible. No SMS under any circumstances.
Finance, HR, or executive accounts — Same as admin. These are the accounts attackers specifically target for business email compromise (BEC) fraud.
Legacy systems that can't support modern MFA — These need to be isolated, and a plan needs to exist to migrate or retire them. An old line-of-business app that only supports passwords is a liability.
Turn off SMS MFA on your Microsoft 365 tenant today. Replace it with Microsoft Authenticator. For your admin accounts, get hardware keys. These two changes will put you ahead of the vast majority of small businesses on the Gulf Coast when it comes to credential security.