Same. We also are making them setup two factor authentication for our rollout and it is funny.
We did that like a year and a half ago. People are still confused (somehow) and upset. I know how you feel. Godspeed my friend.
What is the point of this? We just switched to it, and it's annoying.
It's really good and really easy security for your account. Let's put it this way:
Right now, you log in to a given site or service. That's it. Your only form of authentication is your username and password. ("Something you know").
Well, there's easy ways to steal that information. Not really even "hacking" or something similar. The biggest form is phishing - convincing users to give nefarious actors their credentials in plain text. It's easy to spot when you're looking for it, but when you log in to the same stuff everyday, eventually you stop paying attention to it - we're all guilty of this. So you see a site that looks similar enough to the one you use everyday and don't give it a second thought. You log in. Maybe you misspelled the URL by a letter or two, or someone posing as a known associate sends you a link that you click on. They now have your username and password. Game over, you're pwned.
Two factor authentication is an extra layer of authentication. We use an MFA provider to give people options when they log in. After entering their username/password ("Something you know"), now they have to answer a phone call to a previously registered number OR enter a passcode from a generator previously set up OR get a notification on their smartphone that they can accept/reject. ("Something you have")
To get around that, the phisher (which is pretty low-tech to begin with) would have to either physically possess the victim's phone (Unlikely) or figure out a way to duplicate/spoof their victim's phone number (Unlikely they even know it, even less likely they can pull this off).
You actually use two-factor authentication regularly in your non-digital life. Ever use an ATM? Something you have (A card) and something you know (Your PIN). Board a flight? Something you are (ID of some sort, passport) and something you have (Boarding pass).
Realistically the whole system is called "multi factor authentication" and is based on requiring at least two forms of the following before being granted access, with examples of each:
-Something you know (Password, PIN, Social Security Number)
-Something you have (Access card, phone, ticket)
-Something you are (Fingerprint, Face ID, Driver's License, Passport)
-Something you do (How you sound, how you walk - this one is still in the early stages of usefulness)
-Somewhere you are (Proximity-based access; like only being allowed in to systems when you're physically inside your work building or similar)
I use two-factor on every site that offers it. It's a much more secure way to use the internet, and it's only a little bit more work.
