set up forwarding schemes Can be compromised by device malware Delivery is usually to the same device being used UX users are familiar with with SMS easy setup for users re-uses devices users already have typing codes is error-prone, not suitable for frequent auths delays in delivery can cause timeouts, frustrating users Cost Typically free for users. Minimal delivery cost for providers (~ $0.01/message)
Typically based around a shared secret, which can be silently stolen. Time-based tokens are vulnerable to theft, brute-forcing, and re-use. Delivery is usually to the same device being used. UX re-uses devices users already have relatively familiar (to experienced users, at least) enrollment can be confusing (TOTP) time skew on devices can make implementation difficult Cost Free to users. Provider costs range from free (e.g. TOTP) to several $/user.
“just press the button”; can be suitable for frequent auths some tokens can also be used for encryption, signing lost tokens can mean long lockouts no real standards mean token proliferation Cost At least $20 per user
attack surface) “Contact support”? (vulnerable to social engineering) “sorry; deal with it ”? (not very user-friendly) How should we handle lost tokens?
Out-of-band communication, or good soft token implementation (Authy) at login, and when performing sensitive actions backups codes & phone/email backup; don’t allow support to reset MFA