What is Multi-Factor Authentication (MFA)?

MFA software requires users to verify their identity with at least two factors — typically a password plus a phone or hardware key. It covers TOTP codes, push notifications, FIDO2/WebAuthn hardware keys, SMS OTP, and adaptive risk-based authentication that adjusts requirements based on context.

When does building MFA make sense?

Building makes sense primarily as part of a broader decision to self-host an identity platform. Open-source options like Keycloak and privacyIDEA cover the full MFA method set in production, but in-house builds frequently miss deadlines and ship reduced scope when evaluated independently.

When does buying MFA make sense?

Buying is the default for most organizations because Microsoft Authenticator is bundled free for M365 customers, Duo provides reliable per-user pricing, and commercial platforms absorb the ongoing passkey and WebAuthn standards evolution automatically.

What are the main MFA vendors?

Representative vendors include Microsoft Authenticator, Yubico, Duo (Cisco), RSA SecurID. B4 Pro scores the full set.

What is FIDO2/WebAuthn and why does it matter for MFA?

FIDO2 and WebAuthn are open standards for passwordless and hardware-key authentication that eliminate phishing risk entirely, since credentials never leave the device. Commercial MFA platforms absorb standard updates automatically; teams running self-hosted identity need to track this evolution manually.

Security & Compliance · Engineering, IT & AI

Should you build or buy Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) software requires users to verify their identity with at least two factors — typically something they know (password), something they have (phone or hardware key), or something they are (biometric). It covers TOTP codes, push notifications, FIDO2/WebAuthn hardware keys, SMS OTP, and adaptive risk-based authentication that adjusts requirements based on context.

The build-vs-buy decision for MFA turns on whether MFA is the right boundary to evaluate at all or whether the decision belongs at the identity platform level, and how the commodity pricing of commercial MFA compares against the operational overhead of self-hosting an open-source alternative; the specifics decide it.

Domain: Security & Compliance
Function: Engineering, IT & AI
Industries: Cross-industry

Last assessed June 2026 · re-scored quarterly via The Continuum.

Build it, buy it, or bridge?

	Build it	Buy it	Bridge (buy, then extend)
Cost shape	OSS platforms free; engineering time dominates; 71% of in-house builds miss launch by 90+ days	$2-6/user/month; bundled free in Microsoft Entra for most M365 customers	OSS for primary TOTP/WebAuthn; commercial for adaptive risk layer
Time to value	Weeks for basic TOTP; months for full adaptive risk with hardware key support	Days for standard push/TOTP; hardware key enrollment immediate	Core MFA running fast; layer adaptive risk over weeks
Differentiation captured	None; pure security utility invisible to customers and partners	Compliance documentation, adaptive risk intelligence, and vendor accountability	Own core auth flows; buy advanced behavioral analysis
AI feasibility today	Keycloak, Authentik, ZITADEL, privacyIDEA all documented production MFA infrastructure	Vendors absorb FIDO2, passkey, and WebAuthn evolution automatically	OSS for primary methods; vendor for evolving hardware key standards
Who it fits	Privacy-focused or developer-led orgs self-hosting the full identity stack	Most organizations, especially those already in Microsoft or Cisco ecosystems	Teams extending OSS identity with commercial behavioral analytics

The B4 call

B4 has a verdict for Multi-Factor Authentication (MFA).

Build, Buy, Bridge, or Beware, with the five-dimension scorecard and the reasoning behind it. Unlock the call, and every other category, with B4 Pro.

Unlock the verdict in B4 Pro →

When building Multi-Factor Authentication (MFA) makes sense

Building your own MFA infrastructure makes sense primarily as part of a broader decision to self-host your identity platform rather than as a standalone MFA choice. Platforms like Keycloak, Authentik, ZITADEL, and privacyIDEA are all in documented production as full MFA infrastructure, covering TOTP, WebAuthn, push authentication, SMS OTP, and hardware keys. For organizations with strict data-residency requirements or those that have already decided to run their own IdP, MFA comes along naturally. The case gets weaker when evaluated in isolation: independent analysis consistently shows that in-house authentication projects miss deadlines, frequently ship reduced scope, and the total cost of engineering the platform often exceeds what commercial tools charge. The more interesting engineering question in this category is usually adaptive risk logic — determining when to step up authentication based on behavioral signals — which is where custom work genuinely differentiates.

When buying Multi-Factor Authentication (MFA) makes sense

Buying MFA is the sensible default for most organizations because the commodity tier of the market is very cheap or free. Microsoft Authenticator is bundled into Entra ID at no additional cost for most Microsoft customers. Duo provides predictable per-user pricing with solid compliance documentation. Yubico hardware keys sit outside the software question entirely. The economics strongly favor buying: independent research shows the total cost of a well-engineered CIAM platform undercuts the engineering time it would replace, and 38% of in-house authentication projects ship reduced scope. The more meaningful question for most teams is whether MFA should be evaluated at all as a separate decision, or whether it should simply be part of the identity platform choice — because once you've decided on Entra ID or Okta, MFA is a configuration decision, not a procurement one.

MFA is deep in commodity territory. Microsoft Authenticator is bundled into Entra ID at no additional cost for most Microsoft customers. Duo sits at a predictable per-user price. The open-source alternatives, Keycloak, Authentik, ZITADEL, and privacyIDEA, cover TOTP, WebAuthn, hardware keys, and push authentication in documented production deployments. Self-hosting one of these is a legitimate choice for privacy-sensitive or developer-focused organizations.

The build case is weakest on pure economics. Independent analysis consistently shows that in-house authentication projects miss their launch dates and frequently ship reduced scope, and the total cost of a well-engineered CIAM platform undercuts the cost of the engineering time it replaces. The more interesting question is whether MFA is even the right boundary to evaluate: for most organizations, MFA is inseparable from SSO policy and adaptive risk logic, and the decision should be made at the identity platform level rather than the MFA feature level. Yubico hardware keys and RSA SecurID sit outside that question entirely.

Representative vendors

Duo (Cisco)Microsoft Authenticator and 3 more, scored in B4 Pro

B4 Pro

Get B4's actual call on Multi-Factor Authentication (MFA)

→ B4's call for Multi-Factor Authentication (MFA): Build, Buy, Bridge, or Beware
→ The five-dimension scorecard and the scoring rationale
→ All 5 vendors with pricing and positioning
→ Quarterly re-scores that feed the MCP live, so your agents always query the current call
→ MCP server plus API and SDK access, and CSV/JSON export

Upgrade to B4 Pro

Prefer to read first? The book covers the framework end to end.

Frequently asked

What is Multi-Factor Authentication (MFA)?: MFA software requires users to verify their identity with at least two factors — typically a password plus a phone or hardware key. It covers TOTP codes, push notifications, FIDO2/WebAuthn hardware keys, SMS OTP, and adaptive risk-based authentication that adjusts requirements based on context.
When does building MFA make sense?: Building makes sense primarily as part of a broader decision to self-host an identity platform. Open-source options like Keycloak and privacyIDEA cover the full MFA method set in production, but in-house builds frequently miss deadlines and ship reduced scope when evaluated independently.
When does buying MFA make sense?: Buying is the default for most organizations because Microsoft Authenticator is bundled free for M365 customers, Duo provides reliable per-user pricing, and commercial platforms absorb the ongoing passkey and WebAuthn standards evolution automatically.
What are the main MFA vendors?: Representative vendors include Microsoft Authenticator, Yubico, Duo (Cisco), RSA SecurID. B4 Pro scores the full set.
What is FIDO2/WebAuthn and why does it matter for MFA?: FIDO2 and WebAuthn are open standards for passwordless and hardware-key authentication that eliminate phishing risk entirely, since credentials never leave the device. Commercial MFA platforms absorb standard updates automatically; teams running self-hosted identity need to track this evolution manually.

The B4 Index scores every software category on two axes, strategic differentiation and AI feasibility, to classify it Build, Buy, Bridge, or Beware. See the full methodology.

More in Security & Compliance

Build or buy Identity & Access Management (IAM)? Build or buy Privileged Access Management (PAM)? Build or buy Single Sign-On (SSO)? Build or buy Data Loss Prevention (DLP)? Build or buy SIEM? Build or buy Endpoint Detection & Response (EDR)? Build or buy Extended Detection & Response (XDR)? Build or buy Next-Gen Firewall (NGFW)? Build or buy Web Application Firewall (WAF)? Build or buy Cloud Access Security Broker (CASB)? Build or buy GRC? Build or buy Vendor Risk Management?

The Build Report

Bi-weekly analysis of software categories through the B4 Framework. What to build, what to buy, and how to use AI to make better decisions for your company.