MFA has any different iterations and interactions with the end user based on the vendors and technologies in use.
One-time passwords can come over text or email, they can be generated by TOTP, or they can be sent via Push systems.
The best option for security purposes is Push as these are tied to a unique device ID, but these do require internet connectivity. Unless a specific device that the push is tied to is compromised or stolen, these authentication attempts cannot be intercepted. These systems typically will have an offline OTP option, but which again is tied to a specific device vs being able to be tied to multiple devices to avoid potential leakage.
TOTP is the next most secure as the underlying technology has not been cracked yet with unique codes been generated in 30 second intervals, however, in many cases these TOTP IDs are sent to users via email or users in a company may save or share the IDs, which can then later either be compromised or control over which employees or users have the ID.
Both text and email are considered the least secure options as both types of communications can be intercepted, especially in targeted attack scenarios.
Another consideration for maximum security around any form of MFA is not checking the box to “trust this computer”. Cookies are what track the trust relationship with a PC to bypass asking for the token. Cookies can be stolen, and are often one of the first things that attackers try to steal when they gain control of a PC, and sometimes will force traffic to proxy though the victims PC to continue use of authenticated sessions well beyond the life of a cookie.
Backups of TOTP codes can be a very important thing to remember. The best TOTP applications will have an option for backing up and migrating codes especially as users rotate to newer model devices or have a device that gets lost or stolen so that regenerating TOTP codes for each application can be avoided.
When considering MFA, anything is better than nothing, but maximizing security should be the goal while still granting the access needed. Please feel free to talk to our team to learn more, and how we can help take your security to the next level.