The angriest I have ever seen a CFO was about a six-digit code. We had turned on multi-factor authentication across the company, and on day two she could not get into the accounting system before a board call. She had left her phone in the car. She made it in eventually, but the message she sent me afterward did not include a thank-you note.
I tell that story because it is the real obstacle to MFA, and it has almost nothing to do with technology. The technology is easy. You flip it on in an afternoon. The hard part is that you are asking busy people to add a step to something they do forty times a day, and they did not ask you to. If you ignore that, they will fight you, and a surprising number of them will win, because they will find the workaround you did not think of.
Why MFA is worth the friction
Let me say plainly why I push on this even when people grumble. The overwhelming majority of break-ins at small businesses start with a stolen password. Phishing, reused credentials, a password that leaked in some other company’s breach years ago. MFA is the single control that turns a stolen password into a dead end. One extra step on your side, one locked door on theirs. Nothing else you can buy for the price gets close.
So the goal is not “make people accept friction.” The goal is to make the friction so small that nobody bothers to fight it.
How to win the room
A few things I have learned the slightly painful way:
Use the app, not the text message. A push notification you tap once is far less annoying than typing a code from an SMS, and it is more secure too. Most people stop complaining within a week once they are tapping “approve” instead of squinting at a six-digit code.
Turn on “remember this device” for trusted machines. If someone is on their own laptop in the office, they do not need to re-authenticate every hour. Set a sensible window. The security value of MFA is at the login from a strange device in a strange place, which is exactly the case where you do want the prompt.
Explain the why, once, like an adult. People follow rules they understand and route around rules that feel arbitrary. Five minutes in a team meeting explaining that this is the thing that stops a stolen password from becoming a stolen company buys you more compliance than any policy document.
Have a fast path for the bad day. Someone will lose a phone. Someone will be traveling when their authenticator resets. If your recovery process is a two-day help desk ticket, people will start writing codes on sticky notes, and now you have made things worse. Decide in advance how you verify a person and get them back in quickly without lowering the bar for everyone.
Start where it matters
If turning on MFA everywhere at once feels like too big a fight, do not let that stop you from starting. Protect the accounts that would hurt most first: email, because it is the master key that resets everything else, then banking, payroll, and your admin consoles. Get those locked down this month. Expand from there.
The CFO who left her phone in the car is, two years later, one of the strongest advocates for MFA in that company. What changed was not her tolerance for friction. We switched her to a push app, set a reasonable trust window on her office laptop, and gave her a number to call that gets her back in within minutes. The security did not get weaker. It got quieter. That is the whole job.
Further reading
- From Resolute Security: The Mythos of Cybersecurity
- From Resolute Security: Your Employees Are Already Using AI
- CISA: turn on multi-factor authentication
- NIST Cybersecurity Framework
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.
See what attackers see for your own domain, in about thirty seconds.
A free scan that checks your SPF, DKIM, and DMARC records. No account, no sales call.
Run the scan on your domain →