[wil421]

Or you could do the opposite and be like the company I work for. Force everyone to enter an RSA token on every SSO login.

[cratermoon]

Unless your company is in a high-risk security-sensitive business, they shouldn't. Most companies can accept the low risk of only requiring a second factor sometimes. Usually time-based, but also looking at location and device fingerprint. For example, if you normally log in from your laptop at work in one state and then it sees you trying to log in from a computer in another state (maybe you're visiting family?) it should definitely challenge you.

[Aperocky]

It doesn't have to be that manual, yubikey etc can just plug and press.

[wil421]

The company I work for has around 250k employees. I’m sure software RSA is going to be drastically less expensive than yubikey.

The people making the policies don’t care at all. They are just dotting is and crossing ts.