10 most common MFA excuses, and how to answer them

CISOs often meet resistance to multi-factor authentication from users, management, and even IT. Here's how to counter their complaints.

The proven security enhancements that multi-factor authentication (MFA) or two-factor authentication (2FA) offers are spurring IT departments to put them in place. As often happens, many managers and employees are objecting to the extra steps associated with MFA log-ins, making excuses galore to avoid them.

Here's what the security experts we spoke with say are the most common MFA excuses they’ve encountered and the answers they use to effectively defeat them.

1. My password is strong enough

A strong password is a crucial and applaudable first step, but as cyberattacks become more sophisticated, it isn’t sufficient by itself. This is a point that CISOs need to hammer home to users and managers by citing examples of security breaches where strong passwords were not enough.

“The benefit of 2FA/MFA is that consumers can be less concerned about falling victim to their data being stolen via brute force attacks, convincing phishing scams, or other account takeover attacks,” says Aaron Goldsmid, Twilio’s vice president and general manager of account security. “Even if a password has already been compromised, with 2FA/MFA consumers can have confidence that their account will not be taken over by credential stuffing or other common methods associated with stolen passwords.”

2. I don’t want to provide my personal smartphone number for my MFA sign-in

You don’t have to provide your phone number or even your email address. There are many other ways to deploy MFA that don’t require them. For example, authenticator apps are more convenient than the traditional SMS or email approach. The user might need to scan a QR code or manually enter a code upon initial setup, but subsequent logins can be configured to only require a push notification where a user will be prompted to click a button verifying their attempted login.

3. My personal phone number will be used for marketing or sold to third parties

To provide assurance on this point, your IT company must have an ironclad policy in place against using/selling employee data for non-security purposes or use a third-party MFA provider who follows the same rules. Most follow local and national data privacy guidelines and disclose how they use customer data.

4. MFA is too new and unproven

“Two-factor authentication is not new,” says Tony Anscombe, ESET’s chief security evangelist. “Banks introduced debit cards with PIN numbers—something you have and something you know—which is, of course, two-factor-authentication. Highlighting this often explains the concept in a way that removes objection.”

5. Our IT team is already overloaded with addressing higher-priority issues

The IT team will be far more overloaded if a ransomware attack locks everyone out of the system. It can happen more easily without MFA because “password-based authentication on its own is not sufficient,” says Paul Kincaid, CISO and vice president of information and security products at SecureAuth. “Users are the greatest source of risk, and it is far too easy to social engineer passwords to bet the security of the enterprise on them.”   

6. It's too much of a hassle to set up MFA

This excuse can come from users, managers, or IT, and while it may have been the case in the past, it is not true now. "2FA/MFA has gone from being a hidden feature that required navigating various steps to being a key part of the onboarding process, often enabled with the click of a button," Goldsmid says. "While 2FA/MFA in the past seemed like a more complicated process, most applications and websites now incorporate APIs that deliver a simple toggle with a yes or no question: ‘Would you like to enable push authentication, a time-based, one-time passcode (TOTP), email verification, SMS verification, and so on?'"

7. The MFA solution does not support our legacy applications

While that might have been true in the past, most MFA solutions today are more capable of working with legacy systems. “The technology landscape has changed and now there are multiple solutions to that challenge, some of those might not even require changes to legacy applications,” says Kincaid. “Identity orchestration and layered/out-of-band MFA factors are valid options that can enable organizations to mitigate the risks of legacy applications by enforcing stronger authentication methods.” Any expense will be less than paying ransomware.      

8. The risk is not high enough for the investment in MFA

This excuse to avoid spending money assumes that the realities of cybersecurity haven’t changed, which they have. The reason? “Due to the increasing shift to cloud workloads and work-from-home dynamics, the network perimeter does not exist as it once did,” Kincaid says. “Providing strong authentication via MFA is core to a layered security strategy. Not including it leaves the organization exposed in case of an insider threat or external breach. MFA can help mitigate the damage done by the attacker.”

9. I don’t know enough about what MFA is to feel comfortable using it

No problem, I’m happy to explain MFA to you in simple, straightforward terms. Then you’ll feel comfortable! “Educating consumers on the importance of new, effective security methods is critical,” says Goldsmid. “It is the responsibility of all organizations as customer trust and data privacy become increasingly common issues for consumers and governing bodies alike.”

10. I don’t need more security, I don't have anything worth stealing

Exasperated CISOs could be forgiven in responding to this excuse by replying, “Oh really? Give me all your credit card numbers and PINs, and let’s find out for sure!”

This is a lame excuse masking an equally lame effort to avoid MFA. Nevertheless, the professional answer to this verbal dodge is to reply, “Every consumer is a potential target of an attack since every bit of personally identifiable information [PII] is valuable to malicious actors,” Goldsmid says. “Even if you think you have nothing worth stealing, malicious actors are targeting smart home devices, individual bank accounts, and ultimately, any account that has personal information can be used in fraudulent activity.”

“Consumers don’t need to look far to find evidence of this ‘anyone’s a target’ threat landscape. Equifax, Marriott, and Facebook are just a few examples of recent attacks targeting everyday consumers,” Goldsmid adds. “Luckily there is an easy way to combat these attacks, and it’s simply configuring 2FA.”

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)