MFA Methods Compared: SMS, Authenticator Apps and FIDO2 Keys

Not all MFA is created equal. In 2026 the gap between SMS codes and phishing-resistant keys is the difference between "ticked the compliance box" and "actually stopping an attacker". Here's an honest comparison of the three MFA methods you'll choose between.

SMS / voice codes

Better than nothing — but only just. SIM-swap attacks against Australian mobile numbers are well-documented, and adversary-in-the-middle phishing kits capture SMS codes in real time. NIST has been recommending against SMS as a primary factor since 2017. Use it only as a fallback when stronger methods aren't possible.

Authenticator apps (Microsoft Authenticator, Google Authenticator, Duo)

The current sensible default for most staff. Push notifications with number-matching (turned on by default in Microsoft Authenticator since 2023) defeat most MFA-fatigue attacks. Still vulnerable to AiTM phishing because the user types the response into a fake site.

Verdict: good baseline for all staff. Always enable number-matching and geographic context.

FIDO2 security keys and passkeys

Phishing-resistant by design — the key cryptographically binds to the legitimate domain, so an Evilginx-style fake login page simply cannot complete the handshake. Options include YubiKeys, Feitian, Windows Hello for Business, and platform passkeys on iOS/macOS.

Cost is roughly $70–$110 per YubiKey 5 series in Australia. For privileged accounts and finance staff, that's the cheapest insurance you'll buy this year.

What we recommend in 2026

• Every user: Microsoft Authenticator with passkey enabled, number-matching on.
• Admins, finance, executives: two FIDO2 keys each (primary + backup), no SMS fallback.
• Break-glass accounts: two FIDO2 keys stored in a physical safe, paper recovery code in a separate safe.

Set up Conditional Access to require phishing-resistant MFA for any administrative role. Microsoft made this a one-click policy in late 2025 — use it.