It's quite common to use SMS as a second identity verification factor. A random six-digit number is sent to the user's phone using an SMS, so theoretically only the person with the correct phone will pass the verification, right? Unfortunately, the answer is no. There are multiple methods that have been proven to hack OTPs. for example, in mid-June 2018, hackers were able to hack the news and entertainment website Reddit through SMS interception. while the hackers didn't get much personal information (Reddit's incident response efforts were great), it still exposed that SMS authentication codes aren't as secure as people often assume. The text messages could be intercepted by exploiting a cellular network vulnerability. Malware installed on the victim's phone can also redirect SMS messages to the attacker's phone. Social engineering attacks on cellular operators can allow the attacker to copy a new SIM card associated with the victim's mobile phone number to receive the victim's OTP text messages. In fact, the US Institute of Standards and Technology (NIST) disapproved of the use of SMS authentication in 2016, arguing that the method was no longer a secure method of authentication. Unfortunately, however, many companies and businesses continue to rely on SMS OTP, giving users a false sense of security

The big brother of the incumbent MFA methods, hardware authentication tokens often come in the form of key cards with OTP displays, with the hardware itself protecting its internal unique key. But the drawbacks of hardware keycards are also obvious. Firstly, the user has to carry this additional device with them; secondly, it is expensive; thirdly, it requires logistical delivery; and finally, it must be replaced from time to time. Some hardware tokens require a USB connection, which can be tricky when authentication from a mobile phone or tablet is required.

Mobile tokens are to a large extent similar to hardware tokens, but are implemented through a mobile phone application. The biggest advantage of a mobile token is that the user only needs to bring a smartphone, which is now basically a necessity and many people don't forget their keys without their phone. The real problem is to examine the way the key enters the phone, the "activation process". It is not a good idea to provide all keys and credentials in a QR code, anyone who can copy your QR code will have a copy of your token.

An authentication token, stripped down from common mobile tokens and SMS verification codes, uses secure push technology for authentication and is popular with users for its increased ease of use. Unlike SMS, push messages do not contain an OTP, but instead contain encrypted information that can only be opened by a specific app on the user's phone. As a result, the user has context-sensitive information to determine if the login attempt is genuine and then quickly agrees or rejects the authentication. If consent is given, the token on the user's phone should generate an OTP which is sent back for authentication along with that consent authorisation. Not all MFA solutions do this, which also increases the risk of the push consent message being copied and forged.

While push-based tokens require a data connection from the phone, QR code-based authentication works offline, providing contextual information through the QR code itself. The user scans the QR code on the screen with a mobile authentication app and then enters the OTP generated by the app based on the key, time and contextual information. the speed and convenience experienced by the user in this process is important and is the reason why push-based and QR code-based tokens have been able to spread so quickly.