Hardware Security Key vs Authenticator App: Which MFA Method Actually Meets NIS2?
Multi-factor authentication is no longer optional under NIS2. But "MFA" is a broad term that covers everything from a six-digit SMS code to a cryptographic hardware device - and the gap in security between those two ends of the spectrum is enormous.
If you are responsible for cybersecurity compliance in a NIS2-covered organisation, the question is not simply whether you have MFA deployed. It is whether the MFA you have deployed is strong enough to satisfy the directive's risk-proportionality requirements - and whether it would hold up to scrutiny from a supervisory authority like Hungary's SZTFH or Poland's UODO.
This article compares the main MFA methods head-to-head and explains why the distinction between phishing-resistant and phishing-susceptible authentication is now a compliance question, not just a security preference.
The MFA Spectrum: From Weak to Phishing-Resistant
Not all MFA works the same way. ENISA's NIS2 Technical Implementation Guidance (June 2025) formalises this by categorising MFA methods into three tiers: "strongest," "medium," and "last resort." The critical distinction within that framework is whether the authentication method can be defeated by a real-time phishing attack. Here is how the main methods compare:
SMS One-Time Passwords (OTP)
A six-digit code sent to the user's mobile phone via text message. Widely deployed because it requires no app installation and works on any phone.
ENISA tier: Last resort. SMS OTP is interceptable via SIM swap attacks and trivially defeated by real-time phishing relay - an attacker mirrors a fake login page, relays the credentials to the real site, and then prompts the user to enter their SMS code, which the attacker also relays in real time. ENISA and most national cybersecurity agencies explicitly categorise SMS OTP as the weakest available factor. For NIS2-covered entities, relying on SMS OTP as your primary MFA for any significant system is indefensible.
Email OTP
A code sent to the user's registered email address. Functionally similar to SMS OTP in terms of user experience.
ENISA tier: Last resort. Shares the same real-time relay vulnerability as SMS. Additionally, if an attacker has already compromised the user's email account - itself a common attack vector - they gain access to both the credential reset mechanism and the OTP simultaneously. Not appropriate as a primary factor for NIS2-covered systems.
TOTP Authenticator Apps
Time-based one-time passwords generated by an app such as Google Authenticator, Authy, or Microsoft Authenticator in OTP mode. The app generates a new six-digit code every 30 seconds based on a shared secret.
ENISA tier: Medium. TOTP codes can be relayed in real time just like SMS codes. The attacker's phishing page submits the stolen code to the real site within the 30-second validity window. This attack is automated and widely deployed by ransomware affiliate groups. TOTP is meaningfully stronger than SMS (no SIM swap risk, no telecoms dependency), but it is not phishing-resistant. For high-risk access scenarios under NIS2, TOTP alone is unlikely to satisfy the risk-proportionality test - though it may be acceptable for lower-risk systems where the directive allows a medium-tier method.
Push Notification Approval
The user approves a login request by tapping a notification on their phone. Used by Microsoft Authenticator, Duo, and others in push mode.
ENISA tier: Medium. Push notifications are susceptible to two attacks. The first is real-time relay - the attacker triggers the legitimate push and the user approves it without realising it corresponds to a phishing session. The second is push fatigue - attackers send repeated push requests until an exhausted or confused user approves one. Microsoft's own guidance now recommends number matching and additional context to harden push MFA, precisely because plain push approval is insufficient. ENISA classifies push as medium-strength - acceptable for lower-risk systems, but not the "strongest" tier required for privileged and high-risk access under NIS2.
FIDO2 / WebAuthn - Hardware Security Keys
Authentication is performed using public-key cryptography. A hardware security key generates a key pair during registration: the private key is stored inside the key's secure element and never leaves the device. During authentication, the key signs a challenge that is cryptographically bound to the exact domain of the relying party.
ENISA tier: Strongest. If a user is tricked into authenticating on a phishing site, the signed response is valid only for that phishing domain - it is useless to the attacker. There is no code to intercept, no approval to relay, and no shared secret that can be stolen from a server breach. This is what phishing-resistant authentication means in technical terms, and it is why FIDO2 hardware keys represent the gold standard under NIS2.
Side-by-Side Comparison
| Method | ENISA tier | Phishing-resistant | SIM swap risk | Server breach risk | NIS2 suitability (high-risk access) |
|---|---|---|---|---|---|
| SMS OTP | Last resort | No | Yes | Low | Not recommended |
| Email OTP | Last resort | No | No | Medium | Not recommended |
| TOTP app | Medium | No | No | Low | Acceptable for lower-risk systems only |
| Push notification | Medium | No | No | Low | Acceptable for lower-risk systems only |
| FIDO2 hardware key | Strongest | Yes | No | No (private key never transmitted) | Strongly recommended |
| Platform authenticator (Windows Hello / Face ID) | Strongest | Yes | No | No | Suitable - see notes below |
What About Platform Authenticators?
Windows Hello for Business, Apple Face ID, and Android biometric authentication all use FIDO2 under the hood and are technically phishing-resistant. They sit in ENISA's "strongest" tier alongside hardware security keys, and for general staff access to standard business systems, they represent a practical and scalable option.
However, for NIS2 compliance purposes, platform authenticators have limitations that matter in enterprise contexts:
- Device-bound: The credential is tied to a specific device. If that device is lost, stolen, or wiped, the credential is gone. Recovery typically falls back to a weaker method.
- Malware exposure: On a compromised device, the biometric sensor itself can potentially be manipulated. The authentication happens in software on a device that may not be trusted.
- Shared device scenarios: Platform authenticators do not work well on shared workstations, kiosk devices, or environments where users move between machines - common in operational technology, healthcare, and manufacturing contexts.
- Privileged access: For administrator accounts, privileged access workstations, or access to critical infrastructure systems, the additional assurance of a dedicated hardware device with a separate secure element is strongly preferable.
The practical position for most NIS2-covered organisations: platform authenticators are appropriate for general staff on managed, single-user devices. For privileged users, remote access, and critical system access, a hardware security key provides the higher assurance level that the directive's risk-proportionality framework calls for.
Which YubiKey for Which Use Case?
The right hardware security key depends on the device environment and user role. Here is how Trust Panda recommends mapping them to NIS2 deployment scenarios:
YubiKey 5 Series
The enterprise workhorse. Supports FIDO2, WebAuthn, smart card (PIV), TOTP, and OpenPGP - meaning it works across both modern FIDO2-enabled platforms and legacy systems that require smart card or OTP-based authentication. Available in USB-A, USB-C, NFC, Lightning, and nano form factors.
Best for: IT administrators, privileged users, remote workers, mixed device environments (Windows, macOS, iOS, Android), and organisations with a mix of modern and legacy identity infrastructure.
YubiKey Bio Series
Adds on-device fingerprint verification to FIDO2 authentication. The biometric check happens inside the key itself - no fingerprint data is ever transmitted or stored on a server. Supports FIDO2 and WebAuthn; does not support PIV or OTP.
Best for: Environments where PIN entry is impractical (shared workstations, clinical settings, operational environments), and where biometric user verification adds a meaningful layer to the access control policy.
Security Key Series by Yubico
A FIDO2 and WebAuthn-only key at a lower unit cost than the YubiKey 5 Series. Does not support PIV, OTP, or OpenPGP. Straightforward to deploy at scale.
Best for: General staff in NIS2-covered organisations where a modern identity platform (Microsoft Entra ID, Okta, Google Workspace) is in place and legacy protocol support is not required. The most cost-effective route to phishing-resistant MFA across a large user base.
Deploying Hardware MFA for NIS2: Where to Start
A full organisation-wide deployment does not need to happen in one step. NIS2's risk-proportionality framework actually supports a tiered approach - and starting with the highest-risk users delivers the greatest immediate reduction in exposure.
A practical sequencing for Central European organisations:
- Privileged administrators and IT staff - immediately. These are your highest-value targets and the most likely entry point for a serious breach. YubiKey 5 Series, with a backup key registered per user.
- Remote workers with access to sensitive systems - as a priority in the first wave. Remote access is consistently the most exploited attack surface. NFC-capable keys (YubiKey 5 NFC, YubiKey 5C NFC) cover both laptop and mobile use.
- C-suite and senior leadership - high-value targets that are frequently overlooked in phased rollouts. Same recommendation as administrators.
- General staff - broader rollout using Security Key Series where legacy protocol support is not required.
For organisations deploying across multiple locations in Hungary, Czech Republic, Poland, or elsewhere in the region, Trust Panda offers volume pricing and can advise on deployment logistics. Get in touch with our team to discuss your requirements.
The Compliance Case in Plain Language
If your organisation is subject to NIS2 and you are currently relying on SMS OTP, email OTP, or TOTP authenticator apps as your primary MFA for privileged or sensitive access, you have a gap. Not necessarily a gap that will result in immediate enforcement action, but a gap that is difficult to justify under the directive's risk-based framework - particularly if you experience a breach that exploits it.
For Hungarian organisations specifically, the first mandatory cybersecurity audit deadline is 30 June 2026 - and authentication controls will be a core audit item. That timeline is close enough that MFA remediation should already be in motion, not on a future roadmap.
The good news is that the remediation is straightforward. FIDO2 hardware security keys work with the identity platforms most organisations already have in place. There is no infrastructure overhaul required. Rollout is a logistics and change management exercise, not a technical one.
The NIS2 Article 21 authentication requirements article on this blog covers the regulatory detail in depth if you want to understand exactly where the directive draws the line.
Summary
- ENISA's NIS2 Technical Implementation Guidance (June 2025) formally ranks MFA into three tiers: strongest, medium, and last resort
- SMS OTP and email OTP are "last resort" - not appropriate for any significant NIS2-covered system
- TOTP apps and push notifications are "medium" - acceptable for lower-risk systems, but insufficient for privileged or high-risk access
- FIDO2 hardware security keys and platform authenticators (Windows Hello, Face ID) are "strongest" - phishing-resistant by cryptographic design
- For NIS2 high-risk access scenarios, hardware security keys provide stronger assurance than platform authenticators: private keys cannot be exported, malware cannot extract them, and they work across shared and mixed device environments
- A tiered deployment - administrators and privileged users first - is the most practical approach to NIS2 MFA compliance
- Hungarian organisations face a first audit deadline of 30 June 2026 - authentication controls are a core audit item
About the author: Attila Pozsonyi leads Trust Panda's operations across Central and Eastern Europe, heading our Yubico-certified team. With deep expertise in NIS2 compliance and identity security across the Hungarian and wider CEE market, Attila works directly with organisations navigating the transition to phishing-resistant authentication. Get in touch with Attila's team to discuss your NIS2 readiness.
