2FA can be worse than just letting things be
One place where I do some work for has implemented the Very Worst Two Factor Authentication System In The History Of Man(tm). This has succeeded in antagonizing _everyone_ and making them thoroughly hostile to the very concept of 2FA. I am an 'adjunct professor', meaning that I get paid peanuts and really don't know why I bother, and am stuck with classes the full-time guys don't want. (Friday evening and Saturday morning, for example) For once IT treated everyone, adjunct, full-time, non-teaching staff, even themselves, the same: they rolled out the most idiotic nonsense imaginable to everyone, big-bang style, and refuse to even consider that they may, just may, have made an error.
The version of 2FA rolled out here is based on Office365 Outlook. The good: anyone who can access anything which can get to Office365 Outlook can get their email no matter where they may be. Outlook on Mac, Windows, iOS, and presumably Android (I don't have an Android phone, but IT department bumf mentions Android) and can use alternate email clients, such as Apple Mail on Mac and iOS, which can talk to Outlook. The bad: they use MS Authenticator, which can be downloaded for iOS and Android. About here alarm bells should start ringing. MSA wants all kinds of permissions and states right up front that it 'gathers data'. It gets worse. The totally fucking insanely terrible: users must re-authenticate every 24 hours, on every device. If you check mail using OWA on a Windows machine, you must auth, and 24 hours later you must auth again, despite using the same machine, same web browser, some connection... EVEN IF YOU ARE CONNECTING USING A FUCKING SCHOOL DESKTOP COMPUTER ON THE FUCKING SCHOOL NETWORK. If you are using Outlook or some other email client on some machine not a school computer, you must reauth every 24 hours. Even if you are connected to the school network. Even if you are connected to the school network by Ethernet. If you are using a school laptop, you must reauth every 24 hours unless that laptop is connected to the school network by Ethernet; you connect wirelessly, you gotta reauth.. The _only_ time that you don't have to reauth every 24 hours is if you're using Outlook on a school desktop... if you're using school Outlook. If your machine has Outlook but it wasn't installed by IT or somehow did something to anger the 2FA gods, you get to reauth every 24 hours. As a mere peon of an adjunct, I didn't have a school laptop, but the dean of business and computer systems does, and he's spitting fire 'cause of the 2FA bullshit. I used to check school email every ever so often, during down times in the day. Now I check maybe once a week, usually when I'm on campus using Outlook on a desktop, 'cause MSA is bloody annoying once, and is extremely bloody annoying every 24 hours. And, oh, yeah, if you let more than 72 hours go by without reauthing, MSA insists on reauthing twice before it lets you see your mail. All the various heads of department are assembling a lynch party for the head of IT.