What is the most secure type of multi-factor authentication?

Hardware security keys like YubiKeys provide the strongest MFA protection because they are phishing-resistant. They verify the legitimacy of the website before responding, so they cannot be tricked by fake login pages. Authenticator apps (TOTP) are the next best option, generating time-based codes that expire every 30 seconds. SMS-based MFA is the weakest common method due to SIM-swapping attacks and SS7 protocol vulnerabilities, though it remains better than no MFA at all.

What is an MFA fatigue attack and how do I avoid it?

An MFA fatigue attack, also called MFA bombing or push spam, occurs when an attacker who already has your password repeatedly triggers MFA push notifications, hoping you will approve one out of frustration or confusion. The 2022 Uber breach succeeded using exactly this technique. To defend against it, never approve an MFA prompt you did not initiate. Use number-matching MFA (where you must enter a displayed code rather than just tapping "approve"), and report unexpected MFA prompts to your security team immediately.

MFA Setup & Best Practices

Set up multi-factor authentication the right way.

What You'll Learn

Set up multi-factor authentication using an authenticator app and understand why it is more secure than SMS-based codes
Recognize MFA fatigue (push bombing) attacks and respond correctly by denying unsolicited approval prompts and reporting immediately
Compare the security properties of SMS, authenticator apps, and hardware keys to make informed MFA choices for different account types
Store MFA backup and recovery codes in a secure location separate from the device running your authenticator
Identify phishing-resistant MFA methods like FIDO2/WebAuthn security keys that eliminate the risk of real-time credential relay attacks

Training Steps

Welcome to Vanguard Financial Services

Welcome to Vanguard Financial Services! You are Alice, an account manager who handles sensitive client financial data daily. Today, IT Security has announced a company-wide initiative requiring all employees to enable multi-factor authentication (MFA) on their accounts. This training will guide you through setting up MFA and understanding best practices.
Why Passwords Aren't Enough

Every year, billions of passwords are stolen in data breaches. Even strong passwords can be compromised through phishing, keyloggers, or credential stuffing attacks. MFA adds a second layer of security. Even if someone steals your password, they cannot access your account without your second factor - something only you have.
The MFA Initiative Email

Alice receives an email from IT Security about the new MFA requirement.
Accessing the Security Portal

Alice clicks the link to access the Security Portal. This portal allows employees to manage their security settings, including MFA enrollment.
Logging In to the Security Portal

The Security Portal login page appears. Alice can use her password manager to securely fill in her credentials.
Understanding MFA Factors

The Security Portal displays an overview of multi-factor authentication. MFA requires two or more of these three factor types: Something You Know - Passwords, PINs, security questions Something You Have - Phone, security key, smart card Something You Are - Fingerprint, face recognition, voice Combining factors from different categories makes accounts much harder to compromise.
Viewing MFA Options

Now that you understand the three factor categories, let's explore the specific MFA options available at Vanguard Financial Services.
MFA Options: SMS Codes

The portal shows three MFA options. The first is SMS verification: SMS Text Messages A code is sent to your phone via text Easy to set up - just need your phone number Works on any phone that receives texts Limitations: Vulnerable to SIM swapping attacks Can be intercepted if phone is compromised Requires cell service SMS is better than no MFA, but not the most secure option.
MFA Options: Authenticator Apps

The second option is authenticator apps: Authenticator Apps (Google Authenticator, Microsoft Authenticator, Authy) Generate time-based one-time passwords (TOTP) Work offline - no cell service needed More secure than SMS - cannot be SIM swapped Codes regenerate every 30 seconds Considerations: Requires installing an app Must back up recovery codes - losing your phone means losing access Authenticator apps are recommended for most users.
MFA Options: Hardware Security Keys

The third and most secure option is hardware security keys: Hardware Security Keys (YubiKey, Google Titan, Feitian) Physical device you plug in or tap to authenticate Phishing-resistant - only works on legitimate sites Cannot be remotely intercepted Most secure option available Considerations: Requires purchasing a physical key Need a backup key in case of loss Not supported by all services Security keys are ideal for high-value accounts like financial systems.

What You'll Learn

Training Steps

Welcome to Vanguard Financial Services

Why Passwords Aren't Enough

The MFA Initiative Email

Accessing the Security Portal

Logging In to the Security Portal

Understanding MFA Factors

Viewing MFA Options

MFA Options: SMS Codes

MFA Options: Authenticator Apps

MFA Options: Hardware Security Keys