We have that problem where I work. There's been some movement towards introducing 2FA but there are a few sticking points.
Ideally I'd prefer it if users were issued fobs or smart cards, but there's no appetite for investment in that (judging from what I see there's not much appetite for investing in anything except more bloody project managers and iPhone Xs for those at the top).
The option that's being pushed at the moment is a Microsoft solution that relies on using either a smartphone app, texts to a mobile or e-mails to a non-corporate account. My issue with this is that very few users are issued with company phones and I'm not willing to use my personal device for corporate stuff. If they decide I require a smartphone to do my job then they can supply me one.
I agree 2FA should be implemented by organisations, but getting the bean-counters to understand why it's so important is another matter.
Biting the hand that feeds IT
