Multi-Factor Authentication (MFA) requires users to present two or more factors from different categories: something you know (password), something you have (authenticator app, hardware key), and something you are (biometric). TOTP (Time-Based One-Time Password) per RFC 6238 generates a 6-digit code from a shared secret + Unix timestamp (30-second window); FIDO2/WebAuthn uses public-key cryptography with a hardware authenticator, providing phishing-resistant MFA; and push-based MFA (Duo, Okta Verify) sends a push notification to an enrolled device.

Key Points

  • TOTP algorithm: HOTP(K, T) where T = floor(UnixTime / 30); the server and client independently compute the same HMAC-SHA1 of the shared secret K and time step T — synchronisation tolerance of ±1 step (90 s window) handles clock skew.
  • TOTP vulnerabilities: phishable (attacker in real-time MITM can replay the one-time code within 30 s), SIM-swappable (if TOTP seed is SMS-backed), and subject to social engineering (MFA fatigue attacks via push bombing).
  • FIDO2/WebAuthn: user registers an authenticator (YubiKey, Touch ID, Windows Hello) which generates a key pair — public key stored on server, private key never leaves the device — credential is bound to the origin (RP ID), making it phishing-proof.
  • Passkeys (FIDO2 with cloud sync): discoverable credentials synced across a user's devices via iCloud Keychain or Google Password Manager — enables passwordless FIDO2 without requiring a physical hardware key.
  • MFA fatigue attack: attacker has stolen credentials and sends repeated push MFA requests hoping the user approves one to stop the notifications — mitigate with number matching (user must enter a code shown on the login page) and rate limiting.
  • SMS-based OTP is deprecated by NIST SP 800-63B due to SIM swap and SS7 interception vulnerabilities — migrate enterprise users to TOTP apps (Google Authenticator, Authy) or FIDO2 keys.
  • Conditional Access (Entra ID, Okta) can require step-up MFA based on risk signals: unfamiliar location, new device, impossible travel, admin role action — balancing friction with risk.
  • Hardware security keys (YubiKey 5, Google Titan): support FIDO2 (WebAuthn), PIV (smart card), OATH-TOTP, and OpenPGP on a single device — recommended for privileged accounts (cloud admin, root, executive).

Real-World Example

Google mandated FIDO2 hardware security keys for all 85,000+ employees in 2017 — reporting zero successful phishing account takeovers since deployment, compared to frequent TOTP-based phishing attempts prior to rollout.