Mobile Push MFA vs. Token-Based MFA: Which to Choose?

MFA Comparison: FortiToken and Mobile Push

You know how it is when you’re sitting at your desk, third coffee of the day in hand, and your mind just skates across the day’s security challenges? Yeah—that’s me right now. After decades of playing this game — starting with my time as a network admin all the way back in 1993 as I was wrangling PSTN multiplexers and fighting back the then new worms like Slammer — I’ve watched MFA grow from the optional nicety to a key part of your security plan. I get asked this question daily since last few days: “Mobile Push MFA or Token-Based MFA, which one should I select in my organization?” I’ve learned a few hard-earned lessons recently after working with FortiToken apps, SMS, email, and Hardware devices too – particularly in the context of FortiAuthenticator deployments.

Enrollment Options

First up—enrollment. How does your staff even get hold of these MFA tokens in the first instance? Here’s the scoop from my trenches advising clients, and I’ve recently guided three banks to upgrade to zero-trust.

  • FortiToken Mobile (Push & TOTP): This is the most straightforward to roll out if your users have smartphones. FortiToken Mobile sends notifications or generates TOTPs. Enrollment is through QR codes, which users scan — easy, slick, no fuss.
  • SMS and Email Tokens: Old school but still rockin’. You have a second code sent one time by text or email. No app necessary, but it has its own security downsides (more on that in a moment).
  • Hardware Tokens: Actual items users have on them. Simple keyfob producing TOTPs, or fancy USB tokens.

Here’s the thing when you’re onboarding users, however—mobile push is fast because there’s almost zero friction. There are no codes to memorize or type in. But hardware tokens? I recall when I distributed 500 of those to bankers. Logistical nightmare. Missing tokens, devices that didn’t work, exchanges. SMS and email? Easy to push, but very reliant on telecom providers and email service availability.

Security Comparison

All right, we’re getting technical (though not too technical — the coffee is starting to work).

  • Mobile Push MFA (e.g., FortiToken Push): This is strong as it needs secure device possession and user consent. Even if someone lifts your password, they would still need to than push approval from your phone. But — if your phone is jailbroken, or infected with malware, the attacker could in theory intercept or spoof signals. Not foolproof.
  • TOTP Tokens (mobile or hardware): They produce a time-based code that is only valid for a short period (usually 30 seconds). Hardware tokens are air-gapped from the network — immune to malware — but have the physical risks we discussed. Mobile applications depend on device security.
  • SMS & Email Tokens: The weakest link. SIM swap and interception both are not new to SMS. Email — I mean yeah, of course, the more secure your email, the better, but let’s not kid ourselves, every corporate email ever gets phished nonstop.

Here’s a little side anecdote: you remember when the Slammer worm struck in 2003, right–exploiting network vulnerabilities. Today the vulnerability is often human beings. MFA tries to fix that.

I, for one, if I see anything is suddenly “AI-powered” to fix MFA flaws, will be dubious. That’s for the most part marketing nonsense. Even the smartest AI in history isn’t going to save you if your tedious old token provisioning isn’t utterly rock solid.

User Experience

Read the MFA Ugly DucklingLayers User Experience (UX) Read more What can MFA do to your business? I’ve watched good tech flounder because its users detested the frictions.

  • Mobile push is the slam-dunk winner here. One tap. Done. No typing, no codes to remember, no device juggling.
  • Hardware tokens? Just think about having to dig a clunky keyfob out of your pocket every time you want to log in. And you have to carry the token like you might a key on a keychain. People lose them. Or forget them at home.
  • SMS & Email? Nothing terrible, but it feels boring pretty quickly to keep putting in codes.

Confession time: When I was early along in my career, I once brought an insane password policy and 8 billion pounds of hardware tokens into play alongside it. Enthusiasts came up with inventive methods to circumvent these restrictions. That was a nightmare I won’t forget.

Assuming your users are being asked to accept a push notification, and they’re holding a smartphone, the rate of adoption is significantly greater. Fewer calls to your helpdesk for reset or lost tokens.

But — remember all those users without smartphones, including some field engineers or contractors lacking data plans. In such cases, hardware tokens or SMS may still be required.

Cost Analysis

Money talks. In computer security the idea is to get the most for your money out of shareholder’s equity.

  • Hardware tokens: The initial expense can be high. It adds up, this ordering, distributing, managing devices, replacing, should a student lose one or damage one. And, behind-the-scenes fees for token lifecycle management.
  • FortiToken Mobile application: Low cost per user. All licensing and support fees, but no hardware to hand out. Plus, lower helpdesk burden.
  • SMS & E-mail tokens: Sometimes pay-per-use. Each SMS or email has a cost. With large user bases, this can quickly fatten the bottom line. Also, network fees + potential fraud exposure costs.

In the projects I lead banks saw costs benefits clearly in moving to mobile push MFA utilizing FortiToken Mobile being integrated with FortiAuthenticator. However, I always warn — don’t choose the cheapest MFA you can find just because the diploma looks good on paper. Also, consider total cost of ownership — support calls, user aggravation, potential for breach.

Quick Take

  • Mobile Push MFA (FortiToken Mobile): Best mix of security, user experience, and cost — assuming your users have smartphones.
  • Hardware Tokens: The traditional two-factor devices are still important in high-security environments or for users without mobiles—but expensive and unwieldy.
  • SMS/Email Tokens: Nice-to-have fallbacks but are a costly solution at scale.

Wrapping It Up

So, then, which one should you pick? Here is my advice: Ignore marketing hype. Think about your users, your environment and, yes, your budget. And, for most of today’s organizations, the FortiToken Mobile push – with FortiAuthenticator integration – is the ideal compromise. It makes enrollment easier, security better and users happier. And I say that having directed dozens of MFA rollouts — including some at the most sensitive banks out there.

But keep in mind — there is no silver bullet. Each one has trade-offs and layered controls are still very important. Add a pinch of great password hygiene (hey, I’m always harping on that), and a dose of hardcore zero trust.

And hey — I just returned from DefCon, the hacking conference where there’s a hardware-hacking village — evidence that we can exploit vulnerabilities in devices. So don’t be complacent just because you have hardware tokens out there.

Your MFA strategy? Must be adaptable, practical and flexible. Don’t herd just for the sake of following all the other sheep. Leverage tools such as FortiAuthenticator to centralize management, and maintain tight provisioning.

In any case, coffee needs to be next on the agenda, round four. Just be careful out there, or better yet: Feel free to reach out if you would like help creating the type of MFA deployment that you know works.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.