MFA is no longer optional in today's threat landscape. Over three YEARS ago we started talking to our Clients about utilizing MFA, as passwords are no longer keeping your information safe. The number of IT providers that STILL do not ENFORCE this critical security configuration is very surprising. No one likes to be told what to do, but in this case you need to just eat those green beans (feel free to substitute whatever food item you don't like but really should be eating here), they are good for you!
Organizations must realize that there is a balance between productivity (ease of use) and security. The tipping point for MFA has occurred and it is time to sacrifice a little ease of use to increase your security. Don't worry, the overall productivity gains from all the new app and cloud-services you use far outweigh this minor change in your daily routine.
Here are the top three pushbacks we get when enabling MFA and our response to them:
I don't want to use my personal device for this
This is interesting on so many levels. First, receiving a text message to your phone in no way allows access to your phone or personal data. So the idea that you don't want "corporate" control of your personal device is out the window. Second, it is more likely that you have a text-enabled cell phone than a car at this point. You need the car to get to work, and guess what, now you need that cell phone too. Final point is cost. Well, you show me someone that incurs an ADDITIONAL cost to receive a few text messages a week and we can talk about reimbursement.
I don't want to punch in a code all the time
Setup correctly MFA becomes something you don't even realize you are doing. It simply becomes of your daily routine. No one enjoys filling up the water in the coffee maker either, but we all love that coffee! The point here is that once the initial change in routine is in place this is a non-issue. Now, if your IT group implements this INCORRECTLY, yes, this will be a major inconvenience. Punching a code in every 10 minutes is not what this is about.
We only want this enabled for our "important" users
This is like locking your front door and hoping no one walking around to the (unlocked) back door! Important users ARE targeted more for phishing and hacking attempts, but once an internal user account is compromised the ease of targeting the other important accounts goes up dramatically. If we could predict which accounts would be compromised then we could be selective about this, but we cannot, so everyone has to have MFA enabled.
Many IT providers suggest enforcing MFA but neither them or the customer want to deal with the pain of implementing it. We have found that it isn't really that big a deal, so grab that fork and dig in!