Content Warning
I recently saw an interesting thread elsewhere: someone expressing high frustration with two factor/multifactor authentication in their day to day life, and nearly every response being of agreement, sometimes very vehement. I donโt think most of these people worked in infosec or IT. Some were dealing with MFA on university systems, some on work systems. They all loathed it. But the why expressed by many for the loathing was what was really interesting. Sure, many expressed irritation about being interrupted multiple times a day by MFA prompts, some were annoyed that it was in place for what they saw as systems that โdidnโt need to be that secureโ, etc. The common refrains one hears from people in security awareness discussions and/or about less user friendly implementations. But the broadest sentiment?
That it didnโt matter because their PII - their SSNs, their credit card numbers, so on and so forth - had already been stolen so many times, that nothing was really being done to stop that from happening, that it was happening more and more and the companies responsible for losing the data werenโt being punished. In the face of all that, they didnโt want to have to keep dealing with the pain of being forced to use MFA when they felt it wasnโt helping anything,