Implement security properly
One organization that I do occasional work for has implemented a new email security policy, a particularly mangled version of two-factor auth.
In Ye Distant Past (that is, up until December last year) I could collect email using OWA, with all the (in)security implications and irritations that that implies, or I could use MS Outlook. If I used OWA, they had rigged it to expire a session after a while and I'd have to log back in. This meant that I might go days before bothering, and sometimes 'important' emails might not be noticed among the sea of idiocy which would show up when I finally logged back in. Besides, I just don't like webmail. As I had Outlook set up for other reasons, I just added the email account for them to Outlook. Outlook was always sitting open on my main machine. I got all their (mostly useless and/or idiotic) email immediately. 'Important' email was actually immediately visible.
So they implemented 2FA... badly. They decided to use the Microsoft Authenticator system. Those who have encountered it might know that it can be set to _require_ certain classes of users (that would be those who don't have Official Company Laptops) to re-authenticate _every 24 hours_. I can no longer just leave Outlook open with their account available; every 24 hours a modal dialog pops up, preventing me from accessing _any_ account in Outlook, not just theirs, until I enter the password for their account, _twice_, and dig out my cell phone and click 'allow' in the MS Authenticator app. If I take too long, the 2FA auth times out and I get to start over. That's entering the password a total of _four_ times or moving really fast to send the auth code. Every. Single Day. On machines which have been accessing that account for literal years.
Meanwhile, 2FA is _not_ implemented for OWA. Sessions still expire, but I only have to enter the password once to get logged back in. I have deleted their account from Outlook and the MS Auth app from my cell phone and gone back to using (ugh) webmail... and to checking email from them maybe once a week because I bloody hate webmail. Congrats, boyz, you 'improved' security by making it difficult to communicate.
They're planning on killing OWA by the end of April, and requiring that all users use Outlook with 2FA. Line management has responded by asking us 'contractors' to install a special texting app... which doesn't go through Exchange Server and so isn't affected by 2FA (and doesn't get the loads of bumf that is emailed out every day). Congrats, boyz, you 'improved' security so much that users are bypassing your system to get actual work done. And no, IT Security won't be able to do anything about it, as the app lives on non-company cell phones. _Great_ work, there, boyz. You just _created_ a security hole.
They have a (small) disk quota applied to email accounts; users have to clean out old mail periodically. I await with interest the screaming when accounts fill up because of the daily bumf and no-one logging in to clean it out. Oh. Wait. They send out email notices when the mailboxes are getting too full, adding to the daily bumf... I wonder how long it will be before they notice that most of the workforce ain't using company email anymore, and what they'll try to do about it. Fun times ahead, boyz'n'grrlz, fun times ahead.
On my own systems here at the office I have also implemented 2FA... just not in an anti-user fashion. Every time users log in from a new device (cell, tablet, laptop, desktop) they must authenticate. Every time users log in using new software (for webmail, that means new web browser, and that's 'new browser', not 'new version of old browser') they authenticate. Once authed, you stay authed unless and until something changes.