Comparing Enterprise MFA Strategies: Hardware Keys vs SMS vs Push During Large-Scale Outages

When the cloud blinks: why your MFA strategy must survive major outages

Your users need to authenticate even when AWS, Cloudflare, or a major carrier is on fire. As an identity engineer or IT leader, you must prevent account takeover while keeping access available during large-scale incidents. This article compares three common enterprise MFA channels—hardware keys (FIDO2/passkeys), SMS, and push notifications—and gives practical, vendor-neutral guidance for designing outage-resilient MFA in 2026.

Executive summary — what to act on first

• Primary recommendation: Make phishing-resistant, offline-capable authentication (FIDO2/hardware keys or passkeys) the default for admins and high-risk users.
• Secondary layers: Use TOTP (local authenticator apps) as the primary fallback for normal users; reserve SMS only for controlled emergency fallback scenarios.
• Push notifications: Provide only when you can architect redundancy (multi-cloud push routing or vendor push fallback) and accept that push depends on cloud push services and the IdP’s availability.
• Outage readiness: Maintain break-glass accounts, recovery codes, redundant device provisioning, and run regular outage drills (chaos testing your auth flows).

Why outage resilience now matters (2025–2026 context)

Large-scale outages remain frequent through late 2025 and into 2026: Cloudflare and AWS incidents in January 2026 showed how quickly large swaths of web infrastructure can become unavailable and cascade across services. When that happens, authentication flows that depend on a single cloud provider or on third-party push/APNs/FCM services may fail, locking users out or forcing insecure fallbacks. Financial institutions and regulated enterprises are also under pressure: recent studies (2025–2026) highlight how identity gaps lead to systemic risk and large fraud losses, increasing regulatory scrutiny for strong, resilient MFA.

Channel-by-channel analysis: security, availability, and outage behaviour

1. Hardware keys (FIDO2 / passkeys)

Hardware keys that implement FIDO2/WebAuthn or platform passkeys deliver the strongest phishing resistance and are increasingly supported across browsers and platforms in 2026. They can be USB-A/USB-C/NFC/Bluetooth or platform-bound passkeys stored in OS credential vaults.

• Security: Excellent — phishing-resistant, private-key never leaves device, strong crypto.
• Availability during outages: Very good — offline-capable for many flows. USB/NFC/OS passkeys do not rely on third‑party push gateways, and WebAuthn can authenticate a user without contacting external push services; however the IdP/backend must still be reachable to exchange tokens.
• Failure modes: Lost keys, device theft, user onboarding friction, and dependency on IdP’s token endpoint (if IdP is down, WebAuthn assertion can’t mint tokens).
• Recovery options: Secondary hardware keys, platform passkeys, emergency codes, helpdesk-assisted key enrollment, and secure identity verification flows for lost-key recovery.
• Operational cost: Moderate—device procurement, distribution, and helpdesk processes.

2. SMS

SMS has been widely used because of ubiquity, but by 2026 it is widely regarded as insufficient for high-security contexts due to SIM swap, SS7/SS8 routing risks, and interception attacks. SMS can still play a role in emergency fallback when better options aren’t usable, but only with strict controls.

• Security: Low–medium. Susceptible to SIM swap, carrier infrastructure attacks, and social engineering. Not phishing-resistant.
• Availability during outages: Mixed. SMS delivery depends on carrier networks, which may be more robust than a single cloud region. However, SMS vendors and cloud SMS gateways can be affected by provider outages or congested networks during large incidents.
• Failure modes: Carrier outages, number porting delays, rate limits from SMS gateway providers, and last-mile congestion during major events.
• Recovery options: Strictly controlled — time-limited, limited-use SMS fallback codes, transactional alerts rather than persistent auth, and aggressive monitoring for SIM swap indicators.
• Operational cost: Low per-message costs but hidden costs in fraud remediation and compliance risk.

3. Push notifications (IdP push to authenticator apps)

Push-based MFA offers excellent UX—one-tap approval from an authenticator app—but it introduces a dependency chain: your IdP, push gateway (APNs/FCM), and sometimes CDN or edge providers. In 2026 most large IdPs use a combination of in-house push routing and cloud services. Outages hitting any of those components can break push flows.

• Security: Medium–high. Good resistance to credential theft if combined with device binding and contextual signals, but vulnerable to push fatigue and confirmation phishing unless the app displays transaction details.
• Availability during outages: Variable. Dependent on cloud providers and mobile push infrastructure — outages in Cloudflare/AWS/APNs or an IdP can disable push en masse.
• Failure modes: Push gateways down (APNs/FCM), IdP backend outage, misconfigured push tokens, and mobile OS notification service problems.
• Recovery options: Local TOTP fallback, alternative push routing, or allow device-based biometric fallback for certain low-risk flows.
• Operational cost: Moderate. Good UX reduces helpdesk tickets, but redundancy engineering costs add up.

Outage taxonomy: how MFA channels fail when infrastructure fails

Not all outages are created equal. Build policies and runbooks around the most likely failure classes you’ll face in 2026.

1. IdP SaaS outage: If the identity provider is down (service region or global), any channel that requires IdP interaction for token minting will be impacted. Hardware keys still produce local assertions, but tokens cannot be minted unless your systems accept cached assertions or offline tokens.
2. Push gateway/APNs/FCM outage: Push notifications cease. Authenticator apps relying solely on push are blocked until push services recover, unless the app also supports TOTP or WebAuthn.
3. Cloud network/CDN outage (Cloudflare): If your web endpoints or SSO pages are routed through the same CDN that’s down, users can’t reach the login interface—even if authentication primitives are local. Avoid coupling your SSO UX to a single CDN/edge provider without alternate routing.
4. Carrier or SMS gateway outage: SMS messages are delayed or dropped—this is common during disasters or when SMS vendors throttle traffic.

Practical design patterns for outage-resilient enterprise MFA

The right enterprise strategy uses layered defenses, explicit fallbacks, and tested recovery procedures. Below are actionable patterns you can implement this quarter.

1. Default to phishing-resistant methods for high-risk identities

• Require FIDO2/passkeys for administrators, privileged roles, and high-value user populations (finance, ops).
• Disallow SMS as a primary method for high-risk sign-ins; use it only for constrained emergency workflows with monitoring.

2. Use TOTP (offline authenticators) as the standard fallback

TOTP apps (Google Authenticator, Microsoft Authenticator, etc.) generate codes locally and do not depend on push gateways or SMS. In outage scenarios they are often the most reliable fallback for general users.

3. Maintain multiple recovery factors and pre-provisioned backup devices

• Require users to register at least two independent FIDO2 devices or one FIDO2 plus a TOTP seed.
• Distribute emergency recovery codes and ensure they are single use and revocable.

4. Implement tiered authentication policies

• Low-risk flow: allow password + TOTP.
• Medium-risk operations: password + push or TOTP + device posture check.
• High-risk actions: require FIDO2 or step-up via out-of-band verified session (e.g., in-person or verified video KYC for admin re-provisioning).

5. Architect push redundancy and avoid single-provider chokepoints

If you rely on push, implement multi-path push routing where possible: multiple push gateway integrations, vendor fallback, or a design that allows the authenticator app to fall back to local TOTP when push fails. Avoid coupling your SSO UX to a single CDN/edge provider without alternate routing.

6. Build break-glass accounts and emergency access procedures

• Maintain a small set of break-glass accounts that use pre-provisioned hardware keys and are kept offline until needed.
• Document and rehearse the process for supervised helpdesk-assisted access, including logging, approvals, and post‑incident audits.

7. Test with outage and chaos engineering

Run periodic drills simulating IdP, push gateway, CDN, and carrier failures. Measure mean time to recovery for authentication and verify end-to-end user access. Include helpdesk in the drills and refine scripts and automation. Use network and service signals from observability tooling to catch cascading failures early.

Vendor selection checklist (MFA & IdP)

Use this checklist when evaluating IdPs and MFA vendors in 2026. These are specific, technical criteria that matter for outage resilience and enterprise operations.

• Standards support: WebAuthn/FIDO2 and passkey support, OIDC, SAML, and SCIM for provisioning.
• Offline-capable flows: ability to accept WebAuthn assertions without external push dependencies.
• Push routing redundancy: multi-region and multi-provider push gateway designs, and clear SLAs for push delivery.
• SMS risk controls: built-in SIM-swap detection, fraud scoring, and rate limiting.
• Admin break-glass tooling: audited emergency access workflows and revocation capabilities.
• Observability: detailed metrics for MFA success/failure by channel, error taxonomy, and real-time alerts for unusual failures.
• Dependency transparency: vendors should disclose third-party dependencies (APNs/FCM/CDNs) and provide recovery guidance.

Operational runbook checklist — immediate actions your SOC/IT should implement

1. Inventory MFA channels and dependencies per user population. Map which IdP endpoints, push gateways, and CDNs each flow uses.
2. Assign critical roles that require passkeys/hardware keys and enforce through policy.
3. Provision backup credentials (secondary key or authenticator seed) for 100% of privileged users.
4. Create and test break-glass keys stored in a secure, tamper-evident vault with dual custody.
5. Configure IdP policies: allow offline TOTP when push fails; block password-only admin access.
6. Run monthly simulated outages for at least one critical flow and measure MTTR for authentication failures.

Developer guidance: how to integrate robustly

Developers should adopt standards, avoid brittle custom flows, and design for partial-system failure.

• Implement WebAuthn for web and platform passkeys for mobile apps. Use standard SDKs rather than custom crypto code.
• Design your token issuance to accept locally validated assertions if feasible — for example, accept signed WebAuthn assertions with short-lived local tokens when the IdP cannot be reached, combined with strict session limits and risk checks.
• For push, build graceful degradation: the app should fall back to local TOTP and display clear UI explaining why push failed.
• Enroll multiple credentials per user through a simple self-service flow to reduce helpdesk load during incidents.

Cost & adoption tradeoffs: planning a phased rollout

Cost, user friction, and security goals determine how you phase MFA changes.

1. Phase 1 — pilot with privileged users: deploy hardware keys/passkeys for admins and critical ops teams.
2. Phase 2 — broader rollout: enable platform passkeys and make TOTP the default for general user base as a fallback to push.
3. Phase 3 — retirement or restriction of SMS: keep SMS only as an emergency channel with strict monitoring and approved exceptions.

2026 trends and what to expect next

The trend toward passkey adoption accelerated through 2025 and continued in 2026 as browsers and OSes standardized behavior. Regulators are pushing for phishing-resistant MFA in sectors like finance and healthcare. Expect more enterprises to require FIDO2 for high-risk users and to invest in multi-path push routing and stronger recovery tooling. Decentralized identity (DID) experiments are maturing but are not yet a drop-in replacement for corporate SSO in most enterprises.

“Design MFA assuming a major provider will be unavailable for minutes to hours — not days — and build rapid, secure fallbacks.”

Quick actionable checklist (start this week)

• Identify your critical user groups and require FIDO2 for them.
• Ensure all users have at least one offline TOTP option registered.
• Provision backup hardware keys for the top 5% of privileged users and store break-glass keys securely.
• Run a simulated IdP or CDN outage and test user sign-in and support workflows.
• Update your incident runbooks to include MFA failure modes and recovery steps.

Final recommendation: a practical, resilient MFA architecture

For most enterprises in 2026 the pragmatic architecture is layered: require FIDO2/passkeys for high-risk users, use TOTP as the standard fallback for general users, and treat push as an enhanced UX option that must have redundant routing. Keep SMS as a tightly controlled emergency fallback only when other offline options are unavailable. Document and rehearse recovery and break-glass operations, and select vendors that expose their dependency maps and support redundancy.

Call to action

Need a tested, vendor-neutral MFA resilience plan? Download our 2026 MFA Outage Resilience Checklist and run a 30‑day pilot targeting your most critical users. If you’d like, we can review your current architecture and provide a prioritized remediation plan tailored to your IdP, compliance regime, and operational constraints.

Related Reading

• Network Observability for Cloud Outages: What To Monitor to Detect Provider Failures Faster
• How to Harden CDN Configurations to Avoid Cascading Failures Like the Cloudflare Incident
• Field Review: Edge Message Brokers for Distributed Teams — Resilience, Offline Sync and Pricing in 2026
• CDN Transparency, Edge Performance, and Creative Delivery: Rewiring Media Ops for 2026
• Garage LEGO Builds: 10 Model Kits That Inspire Real-World Race Car Design Ideas
• CES 2026 Beauty Tech: 10 Gadgets I’d Buy Right Now for Firmer, Happier Skin
• Semi-Retirement in Tokyo: A Practical Guide for Travelers Considering a Slow-Down
• How Indie Rom-Coms at Content Americas Could Inspire New Streaming Sitcoms
• What Cricket Media Outlets Can Learn from the BBC–YouTube Partnership