[NoZebra120vClip]

Users, or service administrators?

From a service point of view, MFA can be deceptively easy to implement. Over the past year or two, it's become all the rage due to aggressive and effective credential-stuffing campaigns.

Unfortunately, it's also difficult to get this right. You can end up with users permanently locked out, you can introduce SSPR abuse, you can increase demand for SIM swapping and email account takeovers.

It's better than what came before, and it's part of everyone's Defense in Depth strategy, but it's not a silver bullet.

[wddkcs]

Thank you. As a user only, 2FA at works sucks. I get locked out multiple times a day, I have to constantly have my phone on me, and I have had a few days where I can't get in for funky reasons, and now the service provider is forbidden from helping me. I get it might be more secure (I still hear about security breaches every couple months), but it is a horrible experience. I use 2fa personally, but in the b2b space there is seemingly no consideration for the user.