If you add any specific measure I could comment on that, but generally I think that user experience must be taken into account up to a point. You won’t disable 2FA so they don’t have to get their phone, but you implement it with SSO so logging in once is sufficient.
Power users such as admins on the other hand should be able to understand and use higher security measures such as 2FA for every administrative login.
shellsharks@infosec.pub 1 year ago
If your UX is bad in favor of better security, your users will tend to find ways to circumvent your security haha. So good thing to keep in mind.