I agree 2FA should be implemented by organisations, but getting the bean-counters to understand why it's so important is another matter.
The biggest push back I have seen to new security measures has always been from upper management.
I remember enforcing password strength, expiry and lockout rules in a previous job. While this had been clearly communicated (and had approval all the way from the top) I had to roll it back within a week because one of the directors kept getting locked out. As she was the wife of the MD, he got an ear full and graciously allowed the excrement to flow downhill to me.
That said, the same company had no antivirus when I started (in the late 2000s) and it took an infection to get them to take me seriously about implementing one...
Biting the hand that feeds IT
