It’s Time to Ditch Authentication Apps: Why Hardware-Based MFA is the Future

Introduction

Cybersecurity threats continue to evolve at speed—and so must the defences we rely on to protect against them. Use of multi-factor authentication is highly recommended, how you implement this practice is, important. While multifactor authentication (MFA) and two-factor authentication (2FA) apps have become standard in safeguarding business systems, they’re increasingly proving insufficient in the face of modern cyber threats.

In this article, we explore why hardware-based authentication (such as YubiKeys) is becoming a critical next step for organisations that want to stay ahead of phishing, SIM-swap attacks, and credential theft. We outline the shortcomings of authentication apps, and the practical considerations for transitioning to hardware-based authentication devices.

The Vulnerability of MFA/2FA Apps

Summary

Most organisations rely on app-based MFA/2FA (such as Google Authenticator, Microsoft Authenticator, or SMS codes) to secure access. While this method is better than password-only protection, it’s still vulnerable to:

• Phishing and social engineering attacks.
• Malware or device compromise.
• SIM-swapping and man-in-the-middle attacks.
• As attackers grow more sophisticated, even tech-savvy users are being tricked into sharing codes or unknowingly approving push notifications.

There’s also a very practical downside: if a user loses their phone or replaces it without securely backing up recovery codes for every account, they can be locked out entirely. This often leads to avoidable IT support requests, lost productivity, and frustrated users—especially in high-urgency moments like travel, incident response, or project deadlines.

Who is impacted?

Any organisation using app-based MFA—particularly those in sectors with high compliance obligations, sensitive data, or distributed teams.

Potential level of impact

High – The illusion of safety from MFA apps can result in overconfidence, increasing risk exposure if not updated.

Actions:

• Some practical considerations for your action plan:
• Audit current MFA/2FA usage across the organisation—identify who’s using app-based methods and for what systems.
• Identify high-risk user roles (e.g., executives, IT admins, finance) for priority migration to hardware MFA.
• Begin testing and piloting hardware keys such as YubiKeys with a subset of users.
• Develop internal policy on MFA standards and preferred devices moving forward.

The Case for Hardware-Based Authentication

Summary

Hardware security keys provide phishing-resistant MFA by using public-key cryptography to verify login attempts. These keys require the user’s physical presence and can’t be phished, replayed, or copied.

Leading companies like Google and Microsoft have adopted security keys internally, reducing account takeovers to nearly zero. Government agencies and regulators globally have also signalled support for stronger authentication frameworks that include hardware options.

Who is impacted?

Organisations handling sensitive data or under pressure to improve cyber resilience—including financial institutions, SaaS providers, critical infrastructure operators, and professional services firms.

Potential level of impact

Medium to High – The benefits of improved security and reduced support costs are significant—particularly for organisations with distributed or remote workforces.

Actions

• Select a vendor (i.e. Yubico) based on compatibility with your infrastructure (SSO, email systems, VPNs, etc.).
• Develop a rollout plan that includes communications, training, and support for staff.
• Update your access and incident response policies to reflect new hardware authentication processes.
• Integrate key management into employee onboarding/offboarding processes.

Legal, Compliance and Insurance Implications

Summary

As ransomware and cyber extortion continue to rise, so do the expectations of regulators, insurers, and partners. In some industries, failure to implement phishing-resistant MFA may be viewed as a failure to meet reasonable security standards—potentially increasing legal exposure.

Cyber insurers increasingly view security keys as a minimum standard for privileged access protection. Regulatory trends (such as the U.S. executive order on zero-trust security or the Essential Eight Maturity Model in Australia) also encourage or require phishing-resistant MFA for critical systems.

Who is impacted?

Organisations seeking cyber insurance or subject to heightened regulatory scrutiny.

Potential level of impact:

High 

Actions

• Review your cyber insurance policy and renewal conditions—does it specify MFA requirements?
• Work with legal/compliance teams to evaluate obligations under local or industry-specific cybersecurity frameworks.
• Consider how adopting security keys may demonstrate diligence in audits or investigations.

Making the Move: Transition Strategy and Culture Shift

Summary

Switching from apps to hardware authentication isn’t just a technical change—it requires internal alignment, stakeholder buy-in, and a clear transition plan. While initial costs may seem high, they are far outweighed by the reduced risk of breach and long-term administrative savings.

Who is impacted?

Everyone with access to sensitive systems—especially IT, security, and leadership teams.

Potential level of impact:

Medium

Actions

• Some practical considerations for your action plan:
• Establish internal champions or pilot groups to test and advocate for the rollout.
• Train users on why the change is being made, how to use the hardware, and how it enhances security.
• Prepare a backup and recovery process in case devices are lost or damaged.
• Consider funding or subsidies for BYO key models if working with contractors or distributed teams.

What Next?

Cyber threats aren’t standing still, and neither should your security approach. App-based MFA was once a major step forward—but in a world of targeted phishing and credential compromise, it’s time to evolve. Moving to hardware-based authentication isn’t just a security upgrade—it’s a strategic decision to protect your people, your data, and your reputation.

Getting Help

We help organisations move from legacy MFA tools to modern, hardware-backed identity solutions. Whether you’re just exploring the space, looking to pilot devices, or need a full rollout strategy, we’re ready to support you.

Let’s talk about what comes next.