MFA/2FA Comparison of Google’s Two-Factor Authentication Options

When choosing a Google MFA/2FA option, users should consider their technical ability, security needs, and convenience preferences. (For table view, click here.)

• USB (hardware) security keys provide a high level of protection but come at a cost, and loss or theft could prevent the user from accessing their account. Please see Critical Hardware Key Information if choosing this option.
• The Google Authenticator app and Google Prompt offer better security but depend on mobile devices. 
• Backup codes serve as a reliable fallback option but require careful management.  
• Passkeys enhance security and convenience with encryption and biometrics but create device dependency and may challenge less tech-savvy users.
• It is strongly recommended to set up more than one authentication option.

1. Google Authenticator

Google Authenticator generates time-based codes.

Tools Needed:

• Phone: Smartphone or iPad | Google Authenticator
• Hardware Key: Could be used as a backup option
• Computer: Could use as a backup option | Authenticator application
• Printed Code: Could be used as a backup option

Pros:

• Increased security: Generates time-based one-time passwords that are more secure than SMS 
• Fast and simple to use
• Offline functionality: It does not require an internet connection

Cons:

• Requires a smartphone
• Device dependency – No access if the device isn’t available unless an alternate option is set up

More Information:

• Enabling Google Authenticator

2. Backup Codes

One-time use codes

Tools Needed:

• Phone: Authenticator application
• Hardware Key: Could be used as a backup option
• Computer: Could use as a backup option | Authenticator application
• Printed Code: Pre-generated codes from your Google account

Pros:

• Offline availability: Can be stored securely offline, reducing the risk of online theft
• Emergency access: Can regain access to your account if you lose your primary 2FA device

Cons:

• Physical security risks – Printed backup codes can be lost, stolen, or accidentally exposed
• One-time use – Each code can only be used once
• Must keep codes with you

More Information:

• How to Create Backup Codes

3. Google Prompts

Notifications sent to your phone requiring a simple tap to approve.

Tools Needed:

• Phone: Smartphone | Google apps or Google services enabled.
• Hardware Key: Could be used as a backup option.
• Computer: Could use as a backup option | Authenticator application.
• Printed Code: Could use as a backup option.

Pros:

• Security: If someone knows your password, they can’t access your account without approval from your device
• Convenience:  Account access requires approval from your trusted device

Cons:

• Connection-dependent: Users must have an active data connection to receive prompts
• Device dependency: No access if the device isn’t available unless an alternate option has been set

More Information:

• How to Enable Google Prompts

4. Hardware Security Key

Physical USB device you must have with you. The setup needs to be done in person with IT.

Tools Needed:

• Phone: Could use as a backup option | Authenticator Application
• Hardware Key: Physical USB security key
• Computer: Could use as a backup option | Authenticator application
• Authenticator application: Could be used as a backup option

Pros:

• High Security Level: It offers robust protection against phishing and other attacks by requiring a physical key
• Multi-Device Use: Usable across various accounts and devices without a phone

Cons:

• Costly Investment: Prices range from $20 to $50 each
• Physical Loss Risk: No access if the device isn’t available unless an alternate option has been set
• The setup needs to be done in person with IT. Please submit an IT service ticket to set an appointment

More Information:

• More on Hardware Keys
• Critical Hardware Key Info

5. Passkey

Utilizes biometric options such as fingerprints or facial recognition or device-specific security like PINs or screen locks

Tools Needed:

• Phone: iOS 16+ | Android 9+ (as of 1/6/25) | Devices must support biometrics | Current Web Browser
• Hardware Key: Could be used as a backup option
• Computer: Minimum OS requirements – Windows 10 | macOS Ventura | ChromeOS 109 (as of 1/6/25)
• Printed Code: Could use as a backup option.

Pros:

• Enhanced Security: Provides a secure login without passwords. Uses two keys: a private key on the device and a public key shared with Google, making it hard for hackers to steal information.
• User Convenience: Allows login with biometrics, eliminating the need for complex passwords and simplifying login.
• Phishing Resistance: Since passkeys aren’t sent as plaintext and are device-specific, they lower the risk of phishing attacks.

Cons:

• Device Dependency: If a phone is lost or damaged, there is no access to the account without pre-set backup codes.
• Limited Support for Older Devices: Users with older devices will be unable to use passkeys.
• Potential Vulnerabilities: If an attacker gains access to a user’s device, they could potentially compromise all linked accounts.
• Time-consuming and complicated to set up: IT can help with setup.

More Information:

• How to Set Up a Passkey

Related Articles

MultiFactor Authentication Overview

Hardware Keys for MFA/2FA

ctcLink - Multi-Factor Authentication (MFA)