Passwords alone are no longer sufficient to protect your business accounts. This is not a theoretical concern — it is a daily reality for UK organisations of every size. The National Cyber Security Centre (NCSC) reports that compromised credentials are involved in the majority of cyber incidents affecting UK businesses, and the Information Commissioner's Office (ICO) has issued fines to organisations whose data breaches were facilitated by a lack of multi-factor authentication.
Two-factor authentication (2FA), also known as multi-factor authentication (MFA), adds a second layer of verification beyond the password. Even if an attacker obtains a user's password — through phishing, credential stuffing, or a data breach — they cannot access the account without also possessing the second factor. For UK businesses, implementing 2FA is no longer optional — it is a baseline security requirement that is mandated by Cyber Essentials, recommended by the NCSC, and expected by cyber insurance providers.
But not all 2FA methods are created equal. From SMS codes to hardware security keys, the options vary significantly in terms of security, usability, and cost. This guide compares the most common 2FA methods available to UK businesses, helping you choose the right approach for your organisation.
Understanding the Three Authentication Factors
Authentication factors are divided into three categories: something you know (passwords, PINs, security questions), something you have (a phone, a hardware token, a smart card), and something you are (fingerprints, facial recognition, iris scans). Two-factor authentication requires credentials from at least two of these categories. A password (something you know) combined with a code from your phone (something you have) is 2FA. A password combined with a security question is not 2FA, because both are "something you know."
The strength of a 2FA implementation depends on which factors are combined and how resistant the second factor is to interception and spoofing. Let us examine each method in detail.
SMS-Based 2FA
SMS-based 2FA sends a one-time code to the user's registered mobile phone number via text message. The user enters this code after their password to complete authentication. It is the most widely deployed 2FA method, largely because it requires no additional software or hardware — every mobile phone can receive SMS messages.
However, SMS-based 2FA has significant security weaknesses. SIM swapping attacks, where an attacker convinces a mobile carrier to transfer a victim's phone number to a new SIM card, can intercept SMS codes. SS7 vulnerabilities in the mobile network infrastructure can allow sophisticated attackers to redirect messages. And social engineering attacks against mobile carrier staff can compromise the delivery channel. The NCSC has stated that while SMS-based 2FA is better than no 2FA at all, it should not be the primary method for protecting high-value accounts.
The UK's National Cyber Security Centre acknowledges that SMS-based 2FA provides meaningful protection against the most common attacks — password spraying, credential stuffing, and basic phishing. However, the NCSC recommends that organisations move towards more secure methods, particularly for administrative accounts, email accounts, and any system that stores sensitive data. Their guidance states that "SMS as a second factor is better than not having a second factor, but other methods provide stronger assurance." For UK organisations pursuing Cyber Essentials Plus certification, SMS-based 2FA is currently accepted, but the direction of travel is clearly towards stronger methods.
Authenticator App-Based 2FA (TOTP)
Authenticator apps such as Microsoft Authenticator, Google Authenticator, and Authy generate time-based one-time passwords (TOTP) that change every 30 seconds. The user opens the app, reads the current code, and enters it during login. Because the codes are generated locally on the user's device using a shared secret established during setup, they cannot be intercepted in transit — there is no SMS to redirect or intercept.
TOTP-based 2FA is significantly more secure than SMS and is the method recommended by the NCSC for most business applications. It is free to deploy (the authenticator apps are free), works without a mobile signal or internet connection, and is supported by virtually every major cloud service including Microsoft 365, Google Workspace, AWS, and Azure. The main disadvantage is that it requires users to have a smartphone, and losing the phone (or switching to a new one) can lock users out of their accounts unless backup codes have been saved.
Push Notification 2FA
Push notification 2FA, offered by apps like Microsoft Authenticator and Duo Security, sends a notification to the user's registered device when a login attempt is made. The user simply taps "Approve" or "Deny" on their phone — no code entry required. This provides better usability than TOTP because the user does not need to type a code, reducing the chance of errors and saving time.
Push-based 2FA is also more resistant to phishing than TOTP, because the notification includes contextual information (such as the location and device of the login attempt) that helps the user identify suspicious requests. However, it is vulnerable to "push fatigue" attacks, where an attacker repeatedly sends authentication requests until the frustrated user accidentally approves one. Microsoft has addressed this with number matching, where the user must type a number displayed on the login screen into the authenticator app, effectively combining the convenience of push with the security of code entry.
| 2FA Method | Security Level | Usability | Cost | Phishing Resistant |
|---|---|---|---|---|
| SMS Codes | Basic | High | Free | No |
| Authenticator App (TOTP) | Good | Medium | Free | No |
| Push Notification | Good | High | Free - £3/user/mo | Partial |
| Push with Number Matching | Very Good | High | Free - £3/user/mo | Mostly |
| Hardware Security Key (FIDO2) | Excellent | Medium | £20-60/key | Yes |
| Passkeys | Excellent | Very High | Free | Yes |
| Smart Cards/Certificates | Excellent | Low | £50-150/user | Yes |
Hardware Security Keys (FIDO2/WebAuthn)
Hardware security keys — physical devices such as YubiKeys and Google Titan keys — provide the strongest form of 2FA currently available to UK businesses. Based on the FIDO2/WebAuthn standard, these keys use public key cryptography that is fundamentally resistant to phishing. When a user authenticates, the security key verifies the identity of the website it is communicating with, meaning it will not respond to a phishing site even if the user is tricked into visiting one.
The security key is inserted into a USB port (or tapped via NFC on mobile devices) and the user touches a button on the key to confirm the authentication. No codes are transmitted, nothing can be intercepted, and there is no software on the user's phone that can be compromised. For UK organisations that handle highly sensitive data — financial services firms, legal practices, healthcare providers, and government contractors — hardware security keys represent the gold standard for authentication security.
The primary barriers to adoption are cost (keys typically cost between £20 and £60 each, and each user should have two — a primary and a backup) and logistics (distributing physical keys to a remote workforce requires planning). However, for the level of security they provide, the cost is remarkably low compared to the potential cost of a breach.
Passkeys: The Future of Authentication
Passkeys represent the next evolution of authentication and are rapidly gaining support across major platforms. A passkey is essentially a FIDO2 credential that is stored on and protected by the user's device — their phone, laptop, or tablet — rather than on a separate hardware key. When authenticating, the user unlocks the passkey using their device's built-in biometrics (fingerprint or facial recognition) or PIN.
Passkeys provide the same phishing-resistant security as hardware keys but with significantly better usability — no separate device to carry, no codes to type, and no battery to charge. They are supported by Apple, Google, and Microsoft, and major services including Microsoft 365, Google Workspace, and many UK banking platforms now accept passkeys.
For UK businesses, passkeys offer an excellent balance of security and usability. They are particularly well-suited to organisations that have struggled with 2FA adoption because users find existing methods inconvenient. As passkey support continues to expand across business applications, they are likely to become the default authentication method for most UK organisations within the next few years.
Recommended for UK Businesses
- Authenticator apps for standard user accounts
- Push with number matching for Microsoft 365
- Hardware keys for admin and privileged accounts
- Passkeys where supported for best user experience
- Conditional Access policies to enforce MFA
- Backup methods configured for account recovery
- Regular review of MFA adoption rates
Approaches to Avoid
- SMS-only 2FA for sensitive accounts
- Security questions as a second factor
- Allowing users to opt out of MFA
- No backup authentication method configured
- Same 2FA method for all account types
- No monitoring of MFA bypass attempts
- Ignoring MFA for legacy applications
Implementing 2FA Across Your Organisation
Deploying 2FA across a UK business requires careful planning to ensure adoption without disruption. Start with a phased approach: enable 2FA for administrator and privileged accounts first (these are the highest-value targets), then roll out to all users over a period of two to four weeks. Provide clear instructions and support during the rollout — a brief training session, a step-by-step guide, and a dedicated support contact for 2FA issues will dramatically reduce resistance and support tickets.
For Microsoft 365 environments, which the majority of UK businesses use, Conditional Access policies provide granular control over when 2FA is required. You can configure policies that require 2FA for all cloud application access, allow trusted devices to bypass 2FA for a defined period, require stronger authentication (such as hardware keys) for administrator access, and block legacy authentication protocols that do not support 2FA. These policies ensure that 2FA is enforced consistently without creating unnecessary friction for users who are already authenticated on trusted devices.
Need Help Implementing 2FA for Your Business?
Cloudswitched provides comprehensive cyber security services for businesses across the United Kingdom. From 2FA deployment and Conditional Access configuration to Cyber Essentials certification and ongoing security management, we help you protect your organisation against credential-based attacks. Contact us to review your authentication security.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.