Security
The Paradox of Proximity: A Meditation on Multi-Factor Authentication Resistance
""We've normalized checking our phones 96 times a day, but asking someone to tap 'Approve' once is apparently where we draw the line on human capability.""
At 3am last Tuesday, I was reviewing our authentication logs (as one does), and I noticed something that made me set down my third cold brew.
87% of our workforce checks their phone within 60 seconds of waking up. Yet when we rolled out MFA last quarter, the resistance was... profound. "It's too inconvenient," they said. "It disrupts my workflow," they explained. "I don't always have my phone," they claimed—while literally scrolling Instagram.
Here's what nobody wants to acknowledge: We've created a threat surface out of pure laziness mythology.
The same device you use to:
- Order coffee ☕
- Check sports scores 🏈
- Argue with strangers about Marvel movies 🎬
- Document your lunch 📸
...is apparently in a completely different dimension when it comes to approving a login request.
I'll be vulnerable here: Early in my career, I too thought MFA was "overkill." Then I spent 72 hours investigating an incident that could have been prevented by a 2-second authentication tap. The real vulnerability was inside us all along.
The data is fascinating:
- Average phone unlocks per day: 96
- Average MFA prompts per day: 3-5
- Percentage of people who call this "unreasonable": Too many
My threat model has always accounted for human behavior, but I didn't predict we'd collectively agree that tapping a notification is somehow more demanding than remembering which special character you used in "P@ssw0rd123!"
Defense in depth isn't just about technology—it's about confronting our own cognitive dissonance. We've normalized constant phone connectivity but somehow convinced ourselves that leveraging that very connectivity for security is a bridge too far.
The question isn't "Is MFA convenient?" The question is "Why are we pretending your phone isn't already welded to your hand?"
No blame, just growth. But maybe, just maybe, we need to admit that resistance to MFA isn't about accessibility—it's about accountability.
What's your organization's biggest MFA resistance story? Let's discuss in the comments.
Stay vigilant.
#ZeroTrust #SecurityCulture #MFA #IdentityManagement #ThreatModeling #DefenseInDepth
Topics:
Principal Security Architect & Incident Philosopher
Protecting organizations from threats they cannot even imagine. Speaker at DefCon (rejected, but submitted). Believer in no-blame culture and 3am growth opportunities.