Reframing MFA: How to Talk About Multi-Factor Authentication Without Sounding Like a Douche

Sam Fleming · 36:37 · 2025 · Track 2

security-awarenessfundamentalspublic-speaking

Sam Fleming on reframing mfa. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 5:20:52 in the Track 2 livestream

Reframing MFA: How to Talk About It Without Sounding Like a Douche

Sam Fleming, a solutions engineer at Sonya Technologies, closes track two with a talk that exists because the original title ("How to Talk About MFA Without Sounding Like a Douche") could not go on the conference website. His angle is honest about the underlying problem: MFA is annoying, users know it is annoying, and security professionals who pretend otherwise lose the room before they get to the point.

The Three Factors and the Word Cloud

Something you know, something you have, something you are. Sam ran a word cloud on Twitter searches for MFA. The number one word was "annoying." Security came in second. The negative perception is the result of a gradual, inconsistent rollout: email codes, then SMS, then apps, then push notifications, then passkeys, each replacing the previous "secure" method. Users have learned that whatever they just got used to is about to change again, so resistance is rational, not stupid.

What the Misframings Look Like

Twitter Blue inverted the messaging entirely. Free accounts get TOTP (more secure) and paid accounts can upgrade to SMS (less secure) and millions of users now believe SMS is the premium tier. Apple's on-device fingerprint storage is constantly mistaken for Apple harvesting fingerprints. Meanwhile MFA fatigue is real, password manager browser extensions auto-filling TOTP codes are a real thing security professionals do, and accessibility (color blindness, vision, motor impairment) is almost completely ignored in current training materials.

Tailor to the Audience

Sam splits the audience into three. Non-technical users get visual metaphors, step-by-step walkthroughs, story format, and everyday tool comparisons ("MFA is like your toaster, you use it every day"). Business leaders only care about business as usual, so frame everything in terms of trust, asset protection, and not interrupting the bottom line. Technical audiences want the opposite: highlight advancements, name integrations, and leave room for them to take the lead because nerds buy in faster when they get to drive.

Two Real Rollouts

Positive: rolled YubiKeys to six users in a high-traffic area of one office, sent department-wide comms about what they are, and watched fear of missing out drive global adoption across four countries in two months. Negative: eight users could not install Microsoft Authenticator, so Sam issued bulky RSA tokens with extra phishing training and a ServiceNow request item to upgrade out. Within a month, five of the eight "miraculously" got the app working. Three stayed on tokens, which is also a fine outcome. The lesson: lay the groundwork for the better path and let users walk to it.

Who Should Watch

IT and security people deploying or refreshing MFA. Awareness and training leads writing user-facing copy. Anyone who has tried to push a conditional access policy past a CFO and gotten layer-zero (financial) pushback. Solutions engineers who have to sell MFA up the chain.