2FA? We've heard of it: White hats weirded out by lack of account security in enterprise
https://www.theregister.co.uk/2018/07/25/companies_fail_to_secure_employee_accounts/
Few companies bother to secure employee accounts with simple protections like two-factor authentication (2FA) and lockouts, an analysis by security company Rapid 7 has found.
These were only the most glaring weaknesses that emerged from 268 real-world penetration tests carried out by its security staff since 2017 for the report "Under The Hoodie" (PDF).