Password and Authentication Training: Getting People to Use MFA Without Fighting Them

May 26, 2026

Multi-factor authentication is one of the most effective single controls an organisation can implement against credential-based attacks. It is also, in a significant proportion of organisations, actively resisted by staff and worked around wherever possible. The gap between the security value of MFA and the uptake rate is not primarily a knowledge problem. It is a friction problem. Staff who understand what MFA does will still disable it or circumvent it if the friction it introduces is high enough relative to the pressure they are under to complete a task quickly.

Password hygiene presents a similar dynamic. Staff who have been told, repeatedly, that they should use a unique complex password for every system they access will still reuse passwords across work and personal accounts if using a password manager feels harder than remembering one password. Training that addresses the knowledge without addressing the friction will not change the behaviour. Training combined with implementation changes that reduce the friction is substantially more effective.

Why MFA Resistance Happens

MFA resistance is rarely about disagreement with the principle. Staff who are asked why they have disabled MFA or found a workaround for it are generally not arguing that authentication security is unimportant. They are reporting that the prompt arrived at the wrong moment, that the process added time they did not have, that the secondary device was not with them when they needed it, or that the organisation's MFA implementation was confusing to navigate. These are friction complaints, not belief complaints.

Understanding this distinction changes the training approach. A training session focused on explaining why MFA is important will not significantly move the needle if the underlying friction is not also addressed. A training session that acknowledges the friction, explains why the control is worth it specifically (credentials are the number one attack vector in cloud-based breaches), and provides practical guidance on how to make MFA less disruptive to workflow is more likely to shift behaviour. And a training session paired with an MFA implementation that uses push notifications rather than one-time codes, and that supports device trust so that familiar devices prompt less frequently, is the most effective combination.

What Password Training Should Actually Cover

Password training that covers rules -- minimum length, complexity requirements, no personal information -- without covering the tool that makes those rules achievable is incomplete. The organisational password manager is the load-bearing element of password hygiene, and training needs to put it at the centre rather than treating it as a peripheral recommendation.

Practical password training covers:

  • Why password reuse is the specific risk: if one site's credentials are breached and you have reused that password elsewhere, every other account with the same password is compromised
  • How the password manager works, where to find it, and how to set it up -- not just that it exists
  • What to do with existing passwords: how to identify and change the ones that are reused or weak
  • How to handle the master password or recovery options for the password manager itself
  • What to do if a password is suspected to be compromised: the process for changing it, checking for unusual account activity, and reporting to IT

Phishing-Resistant Authentication and What Staff Should Know About It

Standard MFA using push notifications or one-time codes is significantly better than no MFA. It is not immune to social engineering. MFA fatigue attacks -- where an attacker who has obtained credentials sends a large number of MFA prompts in quick succession, hoping the user will approve one to make it stop -- are an established technique. Staff who do not know this exists will sometimes approve a prompt they do not recognise because they assume it is a technical glitch.

Awareness training should cover what a legitimate MFA prompt looks like (you will only receive one when you initiate a login), what to do when you receive a prompt you did not initiate (deny it and contact IT immediately), and why approving an unexpected prompt is a significant security event. This is a short, specific piece of content that addresses a real attack technique. It does not require staff to understand the technical architecture of MFA -- just the specific behaviour that protects against prompt bombing.

Aligning Training with Your Implementation Timeline

The timing of authentication training matters. Training staff on MFA before it is enforced creates awareness without the urgency to act on it. Training staff on MFA during a rollout -- when they are encountering it for the first time -- is more effective because the content is immediately relevant. And following up with a short reinforcement session after the rollout is complete, addressing the questions and friction points that actually emerged, closes the loop in a way that generic pre-rollout training cannot.

If MFA is already enforced in your organisation and you are still seeing workarounds -- shared accounts, disabled prompts, approval of suspicious requests -- that is a signal that the implementation and training need to be revisited together, not just the training in isolation. We help organisations design the combination of implementation and training that actually changes authentication behaviour. Get in touch at info@cyberlinx.com.au to discuss what that looks like for your environment.

Table of Contents
Resource Type
Blogs
Category
Cyber Awareness Training
Written by
Saaim Khan
Chief Innovation Officer
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?