MFA strength: SMS (weakest — SIM swapping), TOTP authenticator apps (medium), Push notifications (medium — MFA fatigue attack), Hardware keys/FIDO2 (strongest — phishing-resistant).
FIDO2/WebAuthn hardware keys are the only phishing-resistant MFA — they verify the site's origin before responding. SMS is better than nothing but weak. MFA fatigue: attacker triggers repeated push notifications hoping victim approves by accident. Require number matching in push MFA.