Skip to content

You're rolling out MFA and executives demand an exemption 'for convenience.' How do you handle it?

Short answer

Executives are exactly the accounts attackers want (BEC, wire fraud), so exempting them inverts the risk model. Solve the friction, not the control: deploy phishing-resistant FIDO2/passkeys that are faster than codes. Caving to the exemption guts the program's credibility and leaves your highest-value accounts unprotected. Killing the MFA project abandons a top-tier control. Quietly enabling it behind their backs destroys trust and accountability.

This question is as much about influence and risk communication as it is about authentication. The technically correct control is non-negotiable; the skill is delivering it without losing the room.

Why exempting executives is backwards

Threat actors target the people with the most authority and access. Executive accounts are the launchpad for business email compromise (BEC) and wire-fraud, and they hold sensitive strategic data. Exempting them concentrates the most risk on the least-protected accounts — the exact opposite of what a risk-based program should do. An exemption "for convenience" is really an unmanaged risk acceptance the security team will own when it goes wrong.

Solve the friction, keep the control

The right move reframes the complaint: the problem is friction, not MFA itself. Phishing-resistant FIDO2 security keys or passkeys are often faster than typing a one-time code — a touch or a biometric — and they defeat phishing and MITM proxy attacks that bypass TOTP and SMS. You give executives a better experience and stronger protection, turning a confrontation into a win.

Why the distractors are wrong

  • Grant the exemption. Leaves your crown-jewel accounts as the soft underbelly and signals that controls are optional for the powerful, which erodes the whole program.
  • Drop the MFA project. Throwing away one of the highest-impact, lowest-cost controls because of pushback is a failure of nerve and of duty.
  • Quietly enable it anyway. Going behind leadership's back may be technically "secure," but it shatters trust, sidesteps accountability, and will blow up the moment they notice — taking your credibility with it.

What the interviewer is probing

They want to see that you hold the line on a critical control while showing executive empathy, that you understand why execs are high-value targets, and that you reach for phishing-resistant factors rather than weaker SMS or app codes. The best candidates frame it as offering a faster, safer option — not as a fight.

Likely follow-ups

  • Why is FIDO2/WebAuthn considered phishing-resistant when TOTP and SMS are not?
  • How would you make the business case to a skeptical executive?
  • What metrics would you track to prove MFA reduced account-takeover risk?

Sources

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.