In the name of protection, a vast priesthood of IT security professionals, often derided by frustrated users and developers as “insecure people”, has imposed two-factor authentication (2FA) and its multi-factor evolution (MFA) across the web and corporate systems. What began as a reasonable response to password leaks has metastasized into mandatory friction: app notifications, SMS codes, hardware keys, biometric prompts, and now, in many cases, multi-stage verification chains that demand email codes, text messages, and in-app approvals for a single session.
The result is a digital world that feels slower, more annoying, and no safer. Large-scale hacks continue unabated, while users and businesses report real productivity losses and abandoned transactions. Is the security industry adding value, or just billing for inconvenience while Big Tech reaps the benefits?
The Multi-Stage Authentication Nightmare
Banks have taken 2FA to new extremes. Log into your checking account and you’re often hit with a gauntlet. Password first, then a choice of SMS or email code, followed by yet another in-app push notification or secondary verification, even for routine actions like viewing a balance or transferring modest sums. What security experts call “multi-stage” (as opposed to true multi-factor) authentication layers these steps sequentially rather than in parallel, turning a simple login into a multi-minute ordeal of waiting for delayed codes, switching devices, and re-entering data. Users describe it as exhausting. One banking site forces a dropdown selection, username/password, factor choice (SMS or email), a wait for the message, and code entry, often delayed by a minute or more. High-value actions trigger even more prompts.
The result? Session abandonment, support tickets, and pure rage. Studies and forums overflow with complaints: 2FA/MFA fatigue is real, with users reporting constant app-switching, delayed codes, and lockouts that halt workflows. community. This isn’t edge-case annoyance. It’s now standard for consumer banking and many enterprise tools. The friction compounds: one extra step at checkout or login can spike abandonment by 10–25%. For businesses, it’s lost revenue and loyalty.
Google has amplified this absurdity within its own advertising empire. For agency-managed accounts in Google Ads, the company has introduced mandatory repeated 2FA, typically via SMS to the same phone number, every time a user adds a new ad, launches or edits a campaign, adjusts bids, changes budgets, or performs any other major action. Digital marketing teams and PPC specialists report having to complete the full verification ritual multiple times on the very same account within a single workday, sometimes half a dozen or more interruptions in one session.
What was once seamless, high-velocity campaign optimization and client delivery has become a fragmented, stop-start ordeal of waiting for texts, switching contexts, and re-authenticating, directly inflating labor costs, delaying time-sensitive market responses, and throttling the very digital advertising engine that powers much of the web economy. The move is especially galling coming from Google, whose Gmail and Ads platforms remain prolific vectors for the phishing and account abuse the extra factors are supposedly meant to stop.
The Security Paradox as Hacks Keep Coming, Even at Big Tech
Proponents still cite Microsoft and Google stats claiming MFA blocks 99.9% of automated attacks. Yet breaches haven’t slowed. IBM’s latest data shows average breach costs hovering near $4.5 million, with credential abuse and phishing dominant. Verizon’s reports confirm thousands of incidents yearly; ransomware is everywhere. Cybercrime’s global tab? Still projected at trillions annually.Worse, the very organizations evangelizing 2FA/MFA, Microsoft (Azure, Outlook/Hotmail) and Google (Gmail), see their own ecosystems riddled with abuse. Accounts get compromised despite 2FA via session hijacking, real-time phishing kits (like Astaroth), MFA fatigue bombing, and man-in-the-middle attacks that capture tokens and cookies.
Users report Gmail and Outlook logins hacked even with authenticator apps enabled; Microsoft itself suffered high-profile breaches in 2024 via legacy non-MFA test accounts (password spraying by Russian actors) and faced a 2025 Azure tenant vulnerability allowing cross-tenant escalation. Researchers cracked an Azure MFA bypass in under an hour in late 2024. Microsoft’s own 2025 Digital Defense Report admits attackers now pivot to workload identities, legacy auth, and AiTM techniques that sidestep user MFA entirely.
The platforms that facilitate spam, phishing campaigns, and account takeovers (Gmail and Outlook remain favorites for scammers) continue pushing users through hoops while failing to stamp out systemic abuse. It raises an uncomfortable question: Is this really about security, or something else?
Big Tech’s Enthusiasm for 2FA Serves Their Bottom Line
There’s a strong whiff of self-interest in the zealotry from Microsoft, Google, and regulators. First, MFA demonstrably reduces their cybersecurity costs. By shifting verification burden to users, providers cut fraud, lower help-desk volumes for password resets, and slash incident response expenses. More importantly, it helps them qualify for cheaper cyber insurance, or even obtain coverage at all. Insurers now treat MFA as table stakes. No MFA, higher premiums or outright denial. Organizations (and the cloud giants themselves) save millions in potential liability and claims.
Second, and more cynically, 2FA/MFA functions less as ironclad security and more as identification theater. It verifies who you are for compliance, advertising, and data-collection purposes while the underlying systems remain porous to abuse. Azure tenants get breached, Gmail/Outlook accounts get hijacked for spam campaigns, and the platforms keep monetizing the data flows.
Users jump through hoops to prove humanity; hackers adapt and keep winning. The “99.9% blocked” claims apply only to primitive automated bots, sophisticated actors (and incomplete enforcement) render the rest theater. Meanwhile, Microsoft is now mandating MFA across Azure sign-ins starting 2026, even as its own track record shows gaps.
Critics call it security theater that prioritizes vendor checkboxes, lock-in, and liability deflection over genuine usability or systemic fixes.
Quantifying Economic Losses
The productivity and revenue costs are measurable and massive.
Enterprise side: Employees lose ~11–19 hours yearly to authentication rituals (18+ seconds per MFA check, multiple daily logins, lockouts). At $30–50/hour loaded wages, that’s $300–$500 per knowledge worker annually. Help-desk tickets for resets and MFA issues add $130–$423 per employee. Scaled across millions of U.S. and global digital workers, the drag exceeds $50–100 billion yearly in the developed world alone. Bad MFA implementations bloat these figures further with rigid policies and poor UX.
Consumer/e-commerce hit: Multi-stage logins at banks or checkout drive abandonment. Global e-commerce exceeds $6 trillion; even a 5–10% friction-induced drop equals tens to hundreds of billions in lost sales and lifetime value.
Opportunity cost: Innovation slows. Developers delay features behind compliance gates. Businesses experiment less. The invisible “prevented” breaches get credited, but the daily, visible tax on speed and convenience is undeniable.ROI studies for well-implemented MFA show returns via avoided losses, but user-experience data and persistent hacks suggest the current bloated, multi-stage versions deliver diminishing returns at high hidden cost.
Time for Usable Security, Not Theater
The security community’s “more factors, more stages” reflex reflects real threats. But it has spawned a bureaucracy that benefits the enforcers (lower costs, insurance discounts, identification data) far more than it protects the economy or end users. Passkeys, adaptive risk-based auth, and phishing-resistant methods promise better security with less pain, yet legacy mandates and vendor inertia slow their adoption.Users are clear: the hassle is felt daily; the “security” often isn’t.
Banks, Microsoft, Google, and the broader IT priesthood have turned logins into obstacle courses while their platforms remain vectors for abuse. Until the incentives realign toward usable security instead of theater, the web stays slower than it should be, businesses bleed efficiency and sales, and the economy foots the bill.
The hackers aren’t waiting. Neither should we.
Author Profile
- I have been writing articles about finance, the stock market and wealth management since 2008. I have worked as an analyst, fund manager and as a junior trader in 7 different institutions.
Latest entries
- May 19, 2026Global Economics2FA “Security” Is Costing the Economy $100 Billion While Hackers Keep Winning
- April 30, 2026NewsWireGenspark Claw, the Genspark Flaw: When “AI Employees” Become Useless Interns
- June 4, 2025NewsWireHow Webmasters Are Paying the Price for the AI Boom
- April 24, 2025NewsWireCapital One-Discover Merger Reshaping the Credit Card Industry