When does MFA require F2A?

Story by Bill Haber / May 26, 2022


When does MFA require F2A?

It’s tough to find a cyber insurer today who does not require their insureds to deploy multi-factor authentication (aka MFA) across their organization. It’s a fairly well-understood concept to most agents that it’s now a “No-MFA, No Play” game, and the absence of a positive response in the average cyber insurance application results in a decline.

There are many good reasons for this that I won’t get into now, and authentication is increasingly a key qualifier for basic cybersecurity controls. It’s fair to say that MFA is quickly becoming an expectation across the business community. It’s certainly an early topic of our cyber risk assessments, and it’s amazing to see how few companies who are otherwise cyber-responsible leave MFA deployment to the discretion of the employee.

While leading mail programs make MFA easily deployable for all employee accounts, surprisingly few administrators tick that box in practice. Still more troublesome is dealing with the multitude of software apps that require each user to individually enable MFA, and particularly dangerous are those which do not yet support MFA, which arguably are not usable in the present reality of cybersecurity chaos. Ultimately, this can present challenges to internal administrators and third-party organizations responsible for data security.

MFA Resistance

Implementing new cybersecurity tools and techniques can meet serious resistance. I follow and comment on a few Reddit topics, including their msp (Managed Service Provider) posts. These folks are on the front lines of working with clients to put these controls in place, and they’re facing this issue every day. I ran across one post last week that fascinated me, for several reasons;


Figure 1. The Reddit post on MFA Resistance

The post and its subsequent responses talk about a common theme; struggles in driving clients to do the right thing. The responses generally declare the solution to this problem is to mandate policy with an iron fist. Essentially, this means that The Boss must clearly, consistently and constantly articulate the need for cybersecurity controls to be deployed, and that one cannot be expected to do the job without this missing piece.  We call this method of top-down enforcement F2A.

Applied F2A

What is F2A?

F2A is a useful acronym when discussing appropriate degrees of organizational pressure from the top. This is better known as good ole fashioned foot-to-ass, and can be thought of in the way a drill sergeant pushes his soldiers towards submission. While not always successful on its own, F2A actually does has its place among other methods backed by research, theory and practical strategies to drive organizational change. There are several useful methods today to automate the push towards change, and the right degree of F2A can be a necessary component in driving cyber resilience throughout work organizations.

When in F2A appropriate?

F2A can be effective when used in measured fashion. On its own, F2A is not singularly effective in driving positive, long-term organization change. It must be accompanied with well-articulated strategy, well-understood purpose, and some sense of buy-in for personal and professional utility. It should be applied gradually as an accelerator when needed, and used sparingly. It’s use should always be preceded by other proper methods to drive policy changes once properly teed up, making the ability to achieve fundamental change across employees real.

What complements F2A to drive change?

To drive change effectively, it’s useful to understand the key principles of some broadly accepted thought leadership on the topic of organizational change. Kurt Lewin is widely considered the “father of change processes” and theorized that people maintain status quo due to coexistence of both driving forces and restraining forces in a group. Driving forces advance a system toward change and must be increased; restraining forces impede change and must be decreased. Driving forces may include desire to win over one’s boss, increase productivity levels, gain recognition, increase compensation or solve problems impacting the company. Restraining forces can include reluctance to modify process, fear of the unknown, overconfidence and doubt. To best prepare a strategy for change, one must consider factors likely to contribute to driving forces, and seek to quash restraining forces.

Another useful area of research comes from Malcolm Knowles, well known for his contributions to Adult Learning Theory  and the Theory of Andragogy. Adult Learning Theory stipulates that adults are self-directed and expect to take responsibility for decisions.  Any learning program involving adults in the workplace must build upon this to be effective. Further, the principles of Andragogy proposes that process can be more important than content in the design of learning, and must consider that 1. Adults need to know why they need to learn something new, 2. They need to learn experientially , 3. Adults approach learning as problem-solving, and 4. They learn best when the topic is of immediate value personally, professionally or both. These frameworks explain that adults need to be involved in the planning and evaluation of their instruction, and their motivations are best shaped internally than externally.

Data Reinforcement

Data-driven organizations find accelerated actions to be common, as data meets less resistance than individuals do. Todd may be perceived as an idiot who people in the organization don’t listen to. Carol may be an accountant but what exactly does she know about technology? Meanwhile, well-presented data is nameless, faceless, has no interpersonal history and is irrefutable. The more data on hand, the better. As you develop your ongoing approach to the delivery of positive cybersecurity behaviors, good data presented on an ongoing basis will be your friend. Behavioral analytics not only can help you reward your best people for quick adoption, but illuminate where F2A must be applied, and with what degree. Data has a funny way of exposing your biggest violators, who are often your principal resistors.

Cybersecurity Action Plans

If you plan to deliver a successful rollout of MFA and/or additional cybersecurity controls to an organization that is not presently using these things today, there will be learning involved. As a result, there will be many steps that precede the installation of these solutions that the Reddit MSP folks are complaining about. Because of what we know about delivering an effective learning program, we recommend every leadership team take the time to come up with an action plan to get the fastest, most effective results. Any good vendor will help you with this, rather than complain after the fact about client resistance.


Your employees need to know that risks and costs are skyrocketing, that you need their help to solve the problem, and that you’re asking their individual efforts to solve it. You’ll need to proactively make this clear to make this fast and effective. Your people will need to understand personal and professional benefits of participation, and be seen as a problem-solver rather than a problem. Finally, you’ll need to use data to gradually understand the frequency and degree of F2A to address your problematic employees.