16 September 2025

Multi-factor authentication evaluation guide

What to actually compare when choosing MFA: trust, control, regulation, total cost of ownership, and the user experience that decides adoption.

Choosing a multi-factor authentication solution is a ten-year decision dressed up as a procurement checkbox. This guide covers the questions that separate solutions that quietly protect you from solutions that quietly become your next migration project.

Trust

Trust the security model. Solutions built on public-key cryptography give you stronger guarantees than shared-secret schemes: there is no central vault of secrets to breach, and nothing that both sides know. Be wary of proprietary cryptography; prefer open, audited foundations.

Know the technological foundations. Where are keys generated? Where are they stored? A key created and held inside the phone’s hardware element cannot be exported or cloned; a seed delivered by QR code during enrollment is only as safe as that delivery.

Consider who is in control

On-premise or SaaS. Where does the solution run, and what happens to your authentication if the vendor has an outage — or a breach? If regulators ask where authentication data lives, do you have an answer you control?

Auditable communications. Can you see and verify what the solution sends over the network? Transaction verification matters here: the user should see what they are approving, and the approval should be cryptographically bound to exactly that.

Don’t forget about regulation

Where will data be stored, and do you need to hand personal data to the vendor at all? For EU organizations, GDPR makes this concrete. For fintech, PSD2’s strong customer authentication and dynamic-linking requirements decide which solutions are even eligible. Resiliency and availability requirements may also apply: can the solution run redundantly under your control?

Total cost of ownership

License fees are the visible part. Count also:

  • Product dependencies: does it require other products, directories or hardware you don’t have yet?
  • Maintenance fees and version upgrades.
  • Human-resource costs: day-to-day administration, user support, and training.
  • Time to deployment: every week of setup is payroll spent before any protection exists.
  • Opportunity costs: will the solution still fit when you add document signing, new applications, or a merger’s worth of new users?

Be careful with SMS

SMS codes can be intercepted, SIM-swapped and phished, and they carry no record of what the user actually saw when they approved. Regulators have noticed. If SMS is your current second factor, treat it as a bridge, not a destination.

User experience decides everything

Security that annoys users gets bypassed, and a bypassed control is worse than no control, because it shows up green on the compliance report. Compare the hardware experience (what must users carry?), the software experience (how many taps? how many failure modes?), and the administrator experience (how long does onboarding one user actually take?). Privacy is part of the experience too: a solution that hoards user data creates its own risk.

What next?

Any security is better than no security, but migration costs are real, so choose something you won’t outgrow. Evaluate against your own environment with a pilot: a real VPN, a real application, a handful of real users. That tells you more in a week than a feature matrix tells you in a quarter.

← All posts

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.