IAM Capability · MFA

Multi-Factor Authentication

A password tells you what someone knows. MFA tells you what they actually have. That distinction makes the difference between an account that gets stolen and one that doesn't.

Compare Vendors Gartner Style Review Read Origin Story

The Problem

Passwords Are Broken. We Have Known This for Thirty Years.

The problem with passwords is not that they are a bad idea. The problem is that they depend entirely on secrecy, and maintaining that secrecy, across dozens of accounts, for years at a time, is something human beings are simply not built for. Passwords get reused. They get phished. They get captured by keystroke loggers. They get leaked in data breaches at third-party services the user barely remembers signing up for. And once a password is compromised, the attacker has everything they need to impersonate you completely.

Multi-factor authentication changes the equation by requiring a second, or third, proof of identity that is independent of the password. Even if an attacker has your password, they cannot log in without also possessing your phone, your hardware token, or your fingerprint. The password's compromise becomes significantly less catastrophic because it is no longer sufficient on its own.

Microsoft reports that MFA blocks 99.9 percent of automated account compromise attacks. That number is not surprising once you understand what those attacks look like: credential stuffing bots testing millions of username-password pairs from breach databases. Those bots can try passwords all day. Without the second factor, they cannot proceed, the attack fails at the point where it would otherwise succeed.

99.9%

Of automated account attacks blocked by MFA (Microsoft data)

80%

Of breaches that involve compromised credentials

15 min

Average time for attackers to exploit a freshly compromised account

The Framework

Three Categories of Proof. Use At Least Two.

FACTOR 1

Something You Know

Passwords, PINs, security questions. The traditional factor. Necessary but not sufficient on its own, knowledge can be stolen, guessed, or phished.

FACTOR 2

Something You Have

Your phone, a hardware token, a smart card. An attacker needs to physically possess this device or compromise it remotely to use the factor. Significantly raises the attack cost.

FACTOR 3

Something You Are

Fingerprints, face recognition, voice patterns. Biometric factors are the hardest to steal and most difficult to fake at scale, though not impossible under sophisticated attacks.

MFA Methods

Not All Second Factors Are Equal

Push Notification (App-Based)

A login attempt appears on your phone via an authenticator app (Microsoft Authenticator, Okta Verify, Duo). You approve or deny it. Convenient, fast, and resistant to credential stuffing. Vulnerable to MFA fatigue attacks, repeated push spam hoping the user accidentally approves.

Strong

TOTP (Time-Based One-Time Password)

A 6-digit code generated by an app (Google Authenticator, Microsoft Authenticator) that changes every 30 seconds. No internet required. Works offline. More phishing-resistant than SMS but still vulnerable to real-time phishing if the user is tricked into entering the code on a fake site.

Strong

SMS One-Time Password

A code sent via text message. Convenient and widely supported but the weakest form of MFA. Vulnerable to SIM swapping (an attacker porting your number to their SIM) and SS7 network attacks. NIST deprecated SMS OTP as a standalone MFA factor in 2016. Use only as a fallback, never as a primary factor.

Weak

Hardware Security Key (FIDO2)

A physical device (YubiKey, Google Titan) that plugs into USB or taps via NFC. The strongest MFA factor available. Completely phishing-resistant because the key uses a challenge-response protocol tied to the specific domain, it cannot be tricked by a fake login page because the domain mismatch causes it to reject the authentication.

Phishing-Resistant

Smart Card / Certificate

Common in government and high-security environments. A card with an embedded cryptographic chip (PIV, CAC). The strongest enterprise MFA for environments requiring compliance with government security standards. Requires infrastructure to issue and manage certificates.

Phishing-Resistant

Biometric

Face ID, Touch ID, Windows Hello. Device-bound biometric verification that never sends biometric data to a server, the match happens locally on the device. Excellent UX, no tokens to carry. The foundation of modern passkey authentication. As strong as the device security backing it.

Phishing-Resistant

MFA Fatigue: How Attackers Beat Push Notifications

In 2022, Uber was compromised not by breaking encryption or finding a zero-day, but by an attacker who kept sending push MFA requests to an employee's phone until the user approved one, likely to make the notifications stop. This "MFA fatigue" or "push bombing" attack revealed a weakness in push-based MFA. Modern defences include number matching (the app requires you to type a number shown on the login screen, not just tap Approve), additional context (showing the login location and application in the notification), and phishing-resistant FIDO2 hardware keys for the highest-risk accounts. MFA is not infallible, but it raises the attack cost dramatically even when circumvented.

No organisation that mandates MFA for all users has ever suffered the kind of mass credential-stuffing attack that regularly devastates organisations relying on passwords alone. MFA is not a perfect control. It is just the most impactful single security investment available.
Why MFA is the highest-ROI security control in the enterprise

Modern Capabilities

Beyond Basic Second-Factor: Adaptive and Risk-Based MFA

The latest generation of MFA is not binary, it does not simply ask for a second factor every time. Adaptive MFA uses contextual signals to determine when additional verification is required and how strong that verification must be. A user logging in from their usual device, at their usual location, at their usual time, to a low-sensitivity application might not be prompted for MFA at all. The same user logging in from an unfamiliar country at 3am to the finance system will be required to provide a strong second factor, and possibly be blocked entirely pending manual review.

This risk-based approach dramatically reduces MFA fatigue, the frustration of repeated prompts that leads users to disable or work around MFA, while maintaining security where it counts most. The signals that drive adaptive MFA decisions include device management status (is this device enrolled and healthy?), IP reputation (is this IP associated with known proxies or threat actors?), geolocation and velocity (did the user just log in from London and is now attempting to log in from Sydney fifteen minutes later?), and user behaviour patterns (is this a normal login time for this person?).

See MFA Vendor Comparison

Vendor comparison for MFA buyers

MFA is not just about adding a second factor, it is about choosing the factor that fits your environment, your risk profile, and your users. Artiflex suggests the solution that best fits your needs.

Criteria	Microsoft Entra MFA	Okta	Cisco Duo	RSA SecurID	Yubico (YubiKey)	Google Workspace MFA
Founded / Heritage	Azure MFA 2014, bundled in M365	MFA since 2009, cloud-native	2010, acquired by Cisco 2018	1986, MFA pioneer (SecurID)	2007, hardware key inventor	Workspace MFA since 2010
Push MFA	★★★★★ Authenticator + number matching	★★★★★ Verify push, adaptive	★★★★★ Best push UX in market	★★★★★ Authenticate app	★★★★★ No push, key-based only	★★★★★ Google prompt
TOTP	★★★★★ Authenticator TOTP	★★★★★ Verify TOTP	★★★★★ Native TOTP	★★★★★ Soft tokens	★★★★★ TOTP via OATH	★★★★★ Google Authenticator
FIDO2 / Hardware Keys	★★★★★ Windows Hello + Passkeys	★★★★★ FastPass + WebAuthn	★★★★★ Native FIDO2	★★★★★ Hybrid token support	★★★★★ Best-in-class YubiKey	★★★★★ Titan Security Key
Biometric	★★★★★ Windows Hello	★★★★★ Okta Verify biometric	★★★★★ Duo biometric	★★★★★ Limited biometric	★★★★★ Partial biometric	★★★★★ Android/iOS biometric
SMS (Fallback)	★★★★★ SMS fallback	★★★★★ SMS fallback	★★★★★ SMS supported	★★★★★ SMS supported	★★★★★ No SMS	★★★★★ SMS fallback
Adaptive / Risk-Based	★★★★★ Conditional Access engine	★★★★★ Identity Threat Protection	★★★★★ Risk-Based Authentication	★★★★★ Adaptive engine	★★★★★ Key only, no adaptive	★★★★★ Workspace risk signals
Phishing Resistance	★★★★★ Number matching + FIDO2	★★★★★ FastPass anti-phish	★★★★★ Verified Push + FIDO2	★★★★★ FIDO2 supported	★★★★★ FIDO2 by design	★★★★★ FIDO2 + Titan
Enterprise Scale	★★★★★ M365 native scale	★★★★★ Workforce + customer	★★★★★ Cisco enterprise scale	★★★★★ Long enterprise track record	★★★★★ Hardware logistics	★★★★★ Workspace-centric scale
5-Year TCO (5,000 users)	★★★★★ Bundled in M365	★★★★★ Premium per-user	★★★★★ Per-user friendly	★★★★★ Premium, hardware ops	★★★★★ Hardware capex	★★★★★ Bundled in Workspace
Best Suited For	Microsoft 365 estates, Conditional Access driven	Multi-cloud workforce + customer IAM	MFA-first deployments, Cisco ecosystem	Government, regulated, hardware-token estates	High-risk accounts, executives, admins	Google Workspace estates
Strategic verdict	✓ Recommended #1 Number matching, Conditional Access, included in M365. The default pick for Microsoft-aligned estates.	✓ Recommended Strongest workforce + customer MFA coverage with FastPass and Auth0. The pragmatic pick for multi-cloud.	✓ Recommended Best push UX in the market and device trust signals. The right pick for MFA-first deployments.	Longest enterprise MFA track record. The choice for government and hardware-token estates.	The strongest phishing-resistant factor available. Deploy for executives and admins as a layer.	Native Google Workspace integration with Titan keys. The natural pick for Workspace estates.

Detailed Comparison on MFA Vendors

Strengths, blind spots, and the buyer profile each vendor was built for. Recommendations are based on UAE deployment patterns, not vendor tier.

★ Recommended

Microsoft Entra MFA

Leader · Included in M365

The most complete MFA platform for Microsoft environments. Conditional Access integrates MFA policy with device compliance, location, and risk scoring, all from one policy engine.

Number matching eliminates MFA fatigue attacks
Included in M365 Business Premium and above
Conditional Access ties MFA to real-time risk
Windows Hello for Business equals phishing-resistant
Less value for non-Microsoft environments
Premium features require P1 or P2 licensing

★ Recommended

Cisco Duo

Leader · MFA-First

Built specifically for MFA from day one. Duo's user interface is the simplest in the market for end users. Best for organisations where user experience and rapid adoption are priorities.

Cleanest push notification UX in the market
Device trust (Duo Device Health)
Works with any existing identity infrastructure
Cisco ecosystem integration adds complexity for non-Cisco shops
Less advanced IGA and governance integration

★ Recommended

Okta MFA / Adaptive MFA

Leader · Cloud-Native

Strongest cloud-native MFA, paired with Okta's broad app catalogue. FastPass delivers passwordless phishing-resistant authentication across Windows, Mac, iOS, and Android.

FastPass cross-platform passwordless
Adaptive risk signals from Okta Identity Threat Protection
Native to Okta's 7,000-plus app catalogue
Per-user licensing adds up at scale
Less native value for M365-centric organisations

RSA SecurID Access

Challenger · Enterprise Legacy

The MFA pioneer. RSA still commands significant share in large enterprises and government environments, particularly where hardware token infrastructure already exists.

Longest enterprise MFA track record
Strong government and financial services presence
Hybrid token plus app flexibility
2011 breach still affects perception
More expensive and operationally heavier than modern alternatives

Yubico (YubiKey)

Visionary · Hardware-First

The leading hardware security key. YubiKey provides phishing-resistant FIDO2 authentication for the highest-risk accounts. A complement to an MFA platform, not a standalone replacement for it.

Strongest phishing resistance available
Works with any FIDO2-compatible service
No battery, no app, no connectivity required
Physical token management overhead
Not a complete MFA management platform on its own

Google Workspace MFA

Challenger · Workspace Native

Native MFA for Google Workspace estates. Combined with Titan Security Keys, delivers phishing-resistant coverage without an additional vendor contract.

Bundled with Workspace licensing
Titan keys provide hardware factor option
Google prompt delivers smooth push UX
Workspace-centric, limited beyond Google estate
Risk-based capabilities less mature than Microsoft / Okta

Artiflex IT delivers Microsoft Entra MFA, Okta, Cisco Duo, RSA SecurID, Yubico and Google Workspace MFA across UAE MFA programmes.
The vendor follows the assessment, not the other way around.

Gartner-style Capability Comparison

Each vendor is rated across MFA capabilities using a standardised tier scale. A gold ★ marker denotes best-in-class performance for that specific capability.

Capability	Microsoft Entra MFA	Okta	Cisco Duo	RSA SecurID	Yubico
Push MFA	Best in class Authenticator + number matching	Best in class Verify + adaptive	Best in class Cleanest push UX	Very strong App + soft tokens	Moderate Key-based, no push
TOTP	Best in class Native Authenticator	Best in class Verify TOTP	Best in class Native TOTP	Excellent Soft tokens	Excellent TOTP via OATH
FIDO2 / Hardware Keys	Best in class Windows Hello + Passkeys	Best in class FastPass + WebAuthn	Best in class Native FIDO2 support	Very strong Hybrid hardware support	Best in class Category-defining YubiKey
Biometric	Best in class Windows Hello	Best in class Okta Verify biometric	Best in class Duo biometric	Good Limited biometric	Good Partial biometric
Adaptive / Risk-Based	Best in class Conditional Access, 100+ signals	Excellent Identity Threat Protection	Excellent Risk-Based Authentication	Very strong Adaptive Access	Moderate Hardware-only
Phishing Resistance	Best in class Number matching plus FIDO2	Best in class FastPass anti-phishing	Best in class Verified Push plus FIDO2	Very strong FIDO2 capable	Best in class FIDO2 by design
Enterprise Scale	Best in class M365 native scale	Best in class Workforce plus customer	Best in class Cisco enterprise scale	Excellent Long enterprise track record	Good Hardware logistics scale
Total Cost of Ownership	Best in class Bundled in M365	Moderate Premium per-user	Very strong Per-user friendly	Moderate Premium, hardware ops	Very strong Hardware capex amortised

Rating scale:Best in classExcellentVery strongStrongGood

Decision Guide

Choosing your MFA solution

Match your MFA platform to your environment and risk profile.

You run Microsoft 365 and Windows

Microsoft Entra MFA with Conditional Access. Included in most M365 tiers, most deeply integrated with Windows Hello and Azure services, number matching eliminates push bombing.

You have a mixed environment or want MFA as a standalone layer

Cisco Duo. Works with any identity provider and any application. The simplest user experience, and vendor-neutral, it improves any existing identity setup without replacing it.

You are in government or high-security enterprise with existing hardware tokens

RSA SecurID Access. Longest track record, strongest hybrid token plus software support, still the reference implementation for government-grade MFA in many frameworks.

You need phishing-resistant MFA for privileged or executive accounts

Yubico YubiKey (FIDO2). Hardware keys are the only truly phishing-resistant factor. Deploy for admins, executives, and finance teams as a complement to your existing MFA platform.

You are a Google Workspace organisation

Google Workspace MFA with Google Authenticator and Titan Security Key. Deep integration within the Google ecosystem, Workspace MFA plus Titan keys provides phishing-resistant coverage without additional vendors.

Get an MFA Readiness Assessment

60-minute review of your current authentication stack, push-fatigue exposure, and FIDO2 readiness, with a vendor-neutral MFA recommendation mapped to your environment.