How to Get MFA Approved When Leadership Already Said No

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
A rejected MFA proposal is diagnostic information. It tells you which argument failed, not that the decision is permanent.
Most first MFA proposals fail for one of three reasons: the business case was framed in security terms rather than financial risk terms, the cost was presented as a lump sum rather than a per-user-per-month figure comparable to other operational expenses, or the proposal did not acknowledge the productivity friction that executives actually worry about. A CFO who says no to MFA is almost never saying that account compromise risk does not matter. They are saying that the way the risk was framed did not make the cost feel justified, or that the rollout sounded more disruptive than the threat.
The re-approach requires three things: correctly identifying which objection actually drove the rejection, reframing the ask using the specific data points that move finance and operations leaders, and presenting a phased deployment option that reduces the perceived cost and operational disruption of the initial commitment.
Diagnosing the Real Objection Behind the No
Do not re-approach until you understand why the first proposal was rejected. If you do not have explicit feedback, infer the objection from the conversation:
"It is too expensive" means the cost was not framed in terms that made the business case clear. This objection is almost always about cost relative to perceived benefit, not cost in absolute terms. A CFO who spends $15,000 a month on cybersecurity insurance without hesitation is not objecting to MFA because $4 per user per month is too expensive. They are objecting because the expected value of the spend was not made clear in the original proposal.
"Our employees will not use it" means the proposal did not address change management and user experience concerns. This objection is legitimate and requires a real answer. MFA deployments that skip user experience planning do fail at adoption. The re-approach needs to lead with the rollout plan and user adoption methodology before re-presenting threat statistics.
"We already have a firewall and antivirus" means the executive does not understand that credentials are stolen before they reach your network perimeter. This is a knowledge gap, not a cost objection. The re-approach needs to explain the credential theft attack vector specifically before asking for a decision.
"We have not had a breach" means the executive is discounting future risk because no current pain exists. The re-approach requires presenting breach probability data for your industry sector and company size, not general statistics about all companies.
Identify which objection applies. The following sections address each one.
Reframing From Security Controls to Business Risk
Security professionals frame MFA as a control. Finance professionals frame decisions in terms of expected cost versus expected loss reduction. These are different languages, and security framing rarely moves CFOs.
The reframe that works: present MFA as cost-effective risk insurance compared to the cost of a credential-based breach in your specific industry.
The IBM Cost of a Data Breach Report 2024 found the overall average breach costs $4.88M. That figure varies significantly by sector. For healthcare, the average is $9.77M. For financial services, $6.08M. For technology, $5.11M. Find the number for your sector. That is your exposure comparison figure.
Now calculate your actual MFA cost: number of employees multiplied by $5 per user per month multiplied by 12 months equals annual MFA spend. For a 200-person company, that is $12,000 per year. For a 1,000-person company, that is $60,000 per year.
The question becomes: would you spend $60,000 per year to substantially reduce the probability of a $4.88M loss event? That is roughly 1.2% of the potential loss, and MFA blocks the attack vector responsible for 61% of breaches. When framed this way, the decision calculus is straightforward for a financially-oriented executive.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
The Specific Data Points That Move Finance Leaders
Three data points move CFOs and financial decision-makers more reliably than general breach statistics:
1. Your cyber insurance policy language. Most cyber insurance policies now include MFA as a condition for coverage on credential-based incidents, or as a premium factor. Pull your actual policy. If MFA is required for full coverage, a rejection creates an explicit coverage gap. This is not a security argument -- it is a contract argument. Finance leaders respond to contract exposure immediately.
2. A documented breach at a comparable company. General average breach costs feel abstract. A specific, documented breach at a company your executive recognizes, in your industry, of comparable size, lands differently. The 2022 Uber breach (social engineering leading to complete internal network access), the 2023 MGM Resorts breach ($100M+ operational impact from a credential attack that bypassed existing controls), and documented credential-stuffing campaigns against companies in your vertical are all attributable and publicly reported. Find the comparable case for your audience.
3. The productivity cost comparison. Executives often focus on the operational disruption of MFA over the disruption of the alternative. The comparison to make explicit: a Microsoft Authenticator push notification adds 5 to 10 seconds to a login. A credential-based breach takes an average of 204 days to identify and 73 days to contain (IBM 2024), with operational disruption across IT, legal, communications, and executive time throughout the entire response period. Spell out which disruption is actually larger.
Addressing the Three Most Common Objections in the Room
Objection: "Our employees will find workarounds."
Response: Modern MFA with push notifications through Microsoft Authenticator or Cisco Duo achieves 95 to 98% adoption in organizations that use a phased rollout with manager-level champions and a clear communication plan. Propose a 30-day pilot with one department. Measure the support ticket volume and completion rate. Bring the data from the pilot before committing to the full rollout. This converts a theoretical objection into a testable question with a real answer.
Objection: "We have other security controls that handle this."
Response: Ask which specific control currently prevents an attacker who has obtained a valid username and password from logging into your systems. Firewalls filter network traffic, not valid authenticated sessions. Antivirus detects known malware, not legitimate credential use by an attacker. This objection almost always reveals a misunderstanding of where credential attacks occur in the attack chain. Do not argue the point directly. Ask the question and let the executive identify the gap.
Objection: "What if we lose access to the MFA device?"
Response: Every enterprise MFA deployment includes account recovery procedures, backup codes, and administrator override capability. Microsoft Entra ID, Okta, and Cisco Duo all document multi-path recovery workflows. This is an operational concern with a well-documented, solved answer. Provide the recovery procedure documentation as an attachment to the proposal so the concern is answered before it becomes an objection in the room.
Choosing the Right Meeting Format and Timing
The re-approach meeting format matters as much as the content.
Do not send the updated proposal as a document and request async approval. The rejection was a decision made in a live conversation. The reversal also needs to happen in a live conversation where objections can be addressed in real time.
Request a 20-minute slot framed specifically as "I have new information on the credential risk picture that I want to share before we close the door on this." This framing does two things: it signals that the meeting is informational rather than a repetition of a rejected proposal, and it creates an opening rather than a confrontation.
Bring two physical artifacts: a one-page brief with three numbers (breach cost for your sector, MFA cost per user per month, and the breach probability for your company size based on industry reports), and the relevant section of your cyber insurance policy if MFA is a coverage condition.
Do not bring a slide deck for a 20-minute conversation. Slide decks signal that you are presenting, not engaging. The goal is to surface the objection that drove the rejection and address it directly, which requires dialogue, not a presentation.
The best timing for the re-approach: immediately after any publicly reported credential-based breach in your industry, after a cyber insurance renewal conversation, or after a board or audit committee meeting where security posture was discussed. These are moments when business risk context is already active in leadership's thinking.
The Phased Rollout Option That Reduces Perceived Risk
If full MFA rollout is still perceived as too disruptive or too expensive after the re-approach, offer a phased deployment that limits the initial commitment.
Phase 1 (30 days, minimal cost): MFA for administrator accounts and privileged access only. These accounts are the highest-value targets for credential attacks and represent a small number of users. This phase is fast to implement, affects only IT and security staff, and dramatically reduces the most serious credential risk. Cost is minimal. Disruption is limited to the people who are most capable of handling it.
Phase 2 (60 days): MFA for all accounts with access to financial systems, HR data, or customer data. This covers the accounts whose compromise creates the breach scenarios that drive the largest loss events and insurance claims.
Phase 3 (90 days): MFA for all remaining user accounts.
This structure serves two purposes. First, it reduces the perceived size of the initial commitment. You are not asking for full organizational MFA deployment -- you are asking for administrator MFA, which is almost universally considered reasonable by executives who understand IT security even superficially. Second, it creates real data from Phase 1 that you can present before Phase 2 begins: actual adoption rates, actual support ticket volume, actual user friction levels. The abstract objection about employee disruption becomes a measurable question with a real answer from your own organization.
Most organizations that complete Phase 1 proceed to Phase 2 without significant pushback. The initial objection was about the full rollout, not the security benefit.
The bottom line
A rejected MFA proposal is a communication failure, and communication failures are fixable. Identify the specific objection that drove the rejection: cost framing, change management concern, or a knowledge gap about how credential attacks work. Reframe the business case using sector-specific breach cost data and your cyber insurance policy terms rather than general security statistics. When the full rollout remains perceived as disruptive, the phased approach converts the decision from "MFA for everyone" to "MFA for administrators first" -- a commitment almost no executive will refuse. Most organizations that implement Phase 1 proceed to full deployment within 90 days, having resolved the real objection through observable evidence rather than further argument.
Frequently asked questions
What is MFA and why is it the single most effective credential security control?
Multi-factor authentication (MFA) requires users to verify their identity with at least two independent factors before accessing a system, typically a password plus a one-time code from an authenticator app. It is considered the highest-return credential security control because 61% of confirmed data breaches involve compromised credentials (Verizon DBIR 2024), and MFA blocks over 99% of automated credential-based attacks even when the password itself has been stolen or phished. No other single control addresses that threat at the same cost-to-impact ratio.
How much does enterprise MFA cost to implement?
Enterprise MFA from major providers costs between $3 and $8 per user per month depending on the platform and license tier. Microsoft Entra ID MFA is included in Microsoft 365 Business Premium at approximately $22 per user per month. Cisco Duo Essentials starts at $3 per user per month. Okta Workforce Identity Cloud starts at approximately $6 per user per month. For a 500-person organization, full MFA deployment costs between $18,000 and $48,000 per year, compared to a sector-average breach cost of $4.88M.
How do I calculate ROI for an MFA proposal?
Calculate your expected annual loss by multiplying your sector's average breach cost by your estimated annual breach probability for a credential-based incident. Subtract your annual MFA cost from that expected loss figure. For most organizations, the ROI calculation shows a positive return even at a 5% annual breach probability, because MFA cost is typically 0.5 to 2% of a single breach event's cost. Include any cyber insurance premium reduction or coverage eligibility improvement in the calculation -- these are often the most compelling line items for finance-oriented decision makers.
What are the most common executive objections to MFA and how do I counter them?
The four most common objections are: cost relative to perceived benefit (counter by presenting sector-specific breach cost data and annual MFA cost per user), employee friction and adoption concerns (counter by proposing a measured pilot with a specific team before full rollout), belief that existing controls already address credential risk (counter by asking which specific control prevents an attacker with valid credentials from logging in), and no current breach experience creating urgency (counter by presenting breach probability data for comparable companies in the same industry and size range).
What is the best way to re-approach leadership after MFA was already rejected?
Request a 20-minute live meeting framed around new information rather than a repeated proposal. Identify the specific objection that drove the original rejection and address that objection directly with evidence. Bring your sector-specific breach cost figure, your calculated MFA cost per user per month, and the relevant section of your cyber insurance policy if MFA affects coverage terms. Avoid slide decks for a 20-minute conversation -- the goal is dialogue that surfaces and resolves the real objection, not a second presentation of the original proposal.
What if employees genuinely resist using MFA?
Resistance is highest when MFA is deployed without adequate communication and without manager-level champions in each department. Organizations that run a phased rollout with clear communication about why MFA is being deployed, a simple visual setup guide, and active manager support report adoption rates of 95 to 98% within the first month. Authenticator app push notifications add 5 to 10 seconds to a login. Resistance typically drops significantly after the first week once the friction becomes habitual. Measuring and reporting support ticket volume during a pilot phase provides real adoption data to replace projected resistance.
What is the minimum viable MFA deployment for a small organization?
The minimum viable MFA deployment protects administrator accounts and all accounts with access to financial or customer data. These represent the highest-risk credentials and the fewest users, making deployment fast and disruption minimal. Microsoft 365 includes MFA capability at most license tiers, meaning many small organizations already have the feature available without additional licensing cost. For an organization under 50 people, administrator MFA can typically be deployed in less than one business day. Full organization deployment usually takes under two weeks at that size.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
