Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  News  ›  2025  ›  MFA: The Good, The Better, and The Unprotected

Phone and computer on desk with the phone displaying a 2fa screen.

October 01, 2025

MFA: The Good, The Better, and The Unprotected

Enabling Multi-Factor Authentication (MFA) on all your accounts adds a small step to your login process, but it’s a giant leap for your security. Whether you're accessing university systems, personal email or social media, MFA helps prevent unauthorized access even if your password is compromised.

MFA is secure, layered, and one of the most effective ways to protect your digital identity. So, go ahead and supercharge your protection. Think beyond the password.

With so many MFA options available, how do you know which ones offer the strongest protection? The following rankings rank common MFA methods from SUPERIOR to FAIL, based on security strength and resistance to common attacks:

MFA Security Rankings

Rank

Category

MFA Method

Why it Ranks Here

S (SUPERIOR)

The Dream Team

Biometrics (Face ID, fingerprint scans)

Nearly impossible for attackers to fake, providing the strongest layer of defense.

Standalone MFA Apps (Duo)

Uses strong, time-sensitive encryption codes that are not vulnerable to communication interception.

A (EXCELLENT)

Highly Secure

Hardware MFA Device (Security key)

Provides strong, physical security. The only potential drawback is that the physical device could be lost or stolen.

B (GOOD)

Use with Caution

Text Message Codes or Links

Vulnerable to sophisticated attacks like SIM swap scams, where an attacker hijacks your phone number.

Email Codes or Links

The security of this method depends entirely on how well your email account is protected. If your email is compromised, so is this MFA method.

C (AVERAGE)

High Risk

Security Questions

Sophisticated attackers can often guess answers using information found online or through social engineering.

F (FAIL)

Unprotected

No MFA

Any form of Multi-Factor Authentication is a monumental improvement over no protection at all.

To truly secure your digital life, always aim for the S- or A-ranked methods whenever available. When you take the small step of enabling MFA and choosing a high-ranking method, you are doing more than just protecting a password — you are supercharging your protection and becoming a stronger defender of our community.

Adapted from staysafeonline.org/cybersecurity-awareness-month