MFA Methods Comparison Guide

Choose the right multi-factor authentication method for your application.

Overview

ZewstID supports multiple MFA methods, each with different security levels, user experience, and implementation complexity. This guide helps you choose the right method(s) for your use case.

At a Glance

Method	Security	UX	Offline	Setup Time	Best For
Push Authentication	High	Excellent	No	5 min	Mobile-first apps
TOTP (Authenticator App)	Medium-High	Good	Yes	5 min	Enterprise apps
WebAuthn / Passkeys	Highest	Excellent	Yes	10 min	High-security apps
SMS/Email OTP	Medium	Good	No	2 min	Quick implementation
Magic Links	Medium	Good	No	2 min	Consumer apps

Detailed Comparison

Push Authentication

How it works: User receives a push notification on their registered mobile device and taps to approve/deny the login.


Web Browser                          Mobile App
    │                                    │
    │ 1. Enter email                     │
    │────────────────────────────────────│
    │                                    │
    │          2. Push notification      │
    │◀───────────────────────────────────│
    │                                    │
    │          3. User taps approve      │
    │────────────────────────────────────▶
    │                                    │
    │ 4. Logged in!                      │
    └────────────────────────────────────┘

Pros:

Best user experience (single tap)
Shows login context (IP, location, browser)
Phishing-resistant (user sees where login originated)
No code to type

Cons:

Requires internet on mobile device
Needs Firebase/APNs setup
Only works on registered devices

Implementation effort: Medium

React Native SDK integration
Firebase configuration
Device registration flow

Best for:

Mobile-first applications
Companies with existing mobile apps
High-security requirements with good UX

Documentation: Push Authentication Guide

TOTP (Authenticator App)

How it works: User opens an authenticator app (Google Authenticator, Authy, etc.) and enters a 6-digit code that refreshes every 30 seconds.


Authenticator App                    Your App
    │                                    │
    │ [523842]                          │
    │                                    │
    │ 1. User reads code                 │
    │────────────────────────────────────▶
    │                                    │
    │ 2. User types code                 │
    │────────────────────────────────────▶
    │                                    │
    │          3. Code verified          │
    │◀───────────────────────────────────│
    │                                    │
    │          4. Logged in!             │
    └────────────────────────────────────┘

Pros:

Works offline
No internet required after setup
Works on any device
Widely understood by users

Cons:

Vulnerable to phishing (user can be tricked)
Requires manual code entry
User must have authenticator app installed

Implementation effort: Low

Simple API integration
QR code display for setup
Backup codes for recovery

Best for:

Enterprise applications
Developer tools
When offline access is needed

Documentation: TOTP Implementation Guide

WebAuthn / Passkeys

How it works: User authenticates using built-in device security (Face ID, Touch ID, Windows Hello, hardware security key).


Your App                             Device
    │                                    │
    │ 1. Click "Sign in with Face ID"   │
    │────────────────────────────────────▶
    │                                    │
    │          2. Biometric prompt       │
    │◀───────────────────────────────────│
    │                                    │
    │ 3. User scans face                 │
    │────────────────────────────────────▶
    │                                    │
    │          4. Cryptographic proof    │
    │◀───────────────────────────────────│
    │                                    │
    │ 5. Logged in!                      │
    └────────────────────────────────────┘

Pros:

Highest security (cryptographically proven)
Completely phishing-resistant
Works offline
Excellent user experience
No codes to remember

Cons:

Requires compatible device
Not all browsers support it equally
More complex implementation
User education may be needed

Implementation effort: Medium-High

Per-client rpID configuration
Platform-specific considerations
Credential management

Best for:

Banking and financial apps
Healthcare applications
High-security enterprise apps
Passwordless authentication

Documentation: WebAuthn Overview

SMS/Email OTP

How it works: User receives a one-time code via SMS or email and enters it to verify.


Your App                    SMS/Email Provider
    │                              │
    │ 1. Request code              │
    │──────────────────────────────▶
    │                              │
    │         2. Send SMS/Email    │
    │◀──────────────────────────────
    │                              │
    │ 3. User enters code          │
    │──────────────────────────────▶
    │                              │
    │         4. Verified          │
    │◀──────────────────────────────

Pros:

Works on any phone (SMS)
No app installation required
Easy to understand

Cons:

SMS can be intercepted (SIM swapping)
Email can be compromised
Requires internet for delivery
Delivery can be delayed

Implementation effort: Low

Simple API calls
No client-side complexity

Best for:

Quick implementation
When users may not have smartphones
Lower security requirements

Documentation: OTP Authentication

Magic Links

How it works: User receives an email with a unique, time-limited link that logs them in when clicked.


Your App                    Email
    │                         │
    │ 1. Enter email          │
    │─────────────────────────▶
    │                         │
    │    2. Magic link sent   │
    │◀─────────────────────────
    │                         │
    │ 3. User clicks link     │
    │─────────────────────────▶
    │                         │
    │    4. Logged in!        │
    │◀─────────────────────────

Pros:

No password needed
Simple user experience
Works on any device with email

Cons:

Relies on email security
Requires email access
Links can be forwarded

Implementation effort: Very Low

Single API call to initiate
No client-side complexity

Best for:

Consumer applications
Newsletter subscriptions
Low-friction sign-up flows

Documentation: Magic Links

Security Comparison Matrix

Threat	Push	TOTP	WebAuthn	SMS OTP	Magic Link
Phishing	Protected	Vulnerable	Protected	Vulnerable	Vulnerable
SIM Swapping	Protected	Protected	Protected	Vulnerable	Protected
Man-in-Middle	Protected	Vulnerable	Protected	Vulnerable	Vulnerable
Device Theft	Protected*	Vulnerable	Protected*	Vulnerable	Vulnerable
Credential Stuffing	Protected	Protected	Protected	Protected	Protected

*Protected if device has biometric lock

Implementation Recommendations

For Consumer Apps

Recommended: Magic Links + Optional TOTP

Start with magic links for frictionless onboarding
Offer TOTP as optional upgrade for security-conscious users
Consider push authentication for mobile users

For Enterprise Apps

Recommended: TOTP + WebAuthn

Require TOTP for all users
Encourage WebAuthn for enhanced security
Consider push authentication for mobile workforce

For High-Security Apps

Recommended: WebAuthn + TOTP (backup)

Require WebAuthn as primary method
Allow TOTP as backup for device unavailability
Implement push authentication for mobile approval

For Developer Tools

Recommended: TOTP + Magic Links

TOTP for regular access
Magic links for occasional use
Consider WebAuthn for API key generation

Migration Strategies

From SMS OTP to TOTP

Enable TOTP enrollment alongside SMS
Prompt users to set up TOTP
Grace period with both methods active
Deprecate SMS after adoption threshold

From TOTP to Push Authentication

Release mobile app with push support
Encourage device registration
Keep TOTP as fallback
Measure adoption before removing TOTP

Adding WebAuthn

Detect device capabilities
Prompt supported users during login
Offer during account settings
Keep existing MFA as fallback

FAQ

Q: Can I combine multiple MFA methods? A: Yes! Many apps require users to set up multiple methods. Users choose one at login.

Q: Which method is most secure? A: WebAuthn is the most secure, followed by Push Authentication. Both are phishing-resistant.

Q: Which has the best UX? A: Push Authentication and WebAuthn tie for best UX. Both require minimal user action.

Q: What if users don't have smartphones? A: Offer TOTP (works on any device with time) or SMS OTP as fallback.

Q: Should I require MFA? A: Depends on your security needs. Consider requiring it for admin functions or sensitive data.

Q: How do I handle recovery? A: Always provide backup codes with TOTP. For WebAuthn, keep a fallback method enabled.

Choosing Your Stack

Mobile-First Company


Primary: Push Authentication
Fallback: TOTP
Recovery: Backup codes

Enterprise SaaS


Primary: TOTP or WebAuthn
Fallback: Push Authentication (for mobile users)
Recovery: Admin-initiated recovery

Consumer App


Primary: Magic Links (passwordless)
Optional: TOTP for power users
Consider: WebAuthn for modern browsers

Banking/Finance


Required: WebAuthn + Push Authentication
Fallback: TOTP
Recovery: In-person verification

Next Steps

Was this page helpful?

Let us know how we can improve our documentation