The shifting view of two factor authentication at the university
Back in 2016, I wrote an entry about how we'd never be able to have everyone use two factor authentication. Recently, the university (and thus necessarily my department) is moving to make two factor authentication required. Given this, you might wonder what happened between 2016 and now, five years later. The simple answer is changing attitudes on smartphones, or if you prefer, a view that two factor authentication is sufficiently important that the administration is willing to force people to go through pain.
Now as in 2016, the fundamental political problem of two factor authentication is that you need a device to be the second factor and this device has to belong to someone and be provided by someone. If the organization has to provide a device to any significant number of people, life gets expensive fast. In 2016 I wrote about this, as an aside:
(We cannot assume that all people have smartphones, either, and delegate our 2FA authentication to smartphone apps.)
The political answer here in 2021 is that we are now assuming that people like graduate students have personal smartphones and can be required to install an authenticator app on those smartphones. For most people, if they don't have a personal smartphone (that they're willing to use for this), the university's answer will not be to provide a hardware two factor token at the university's expense, it will be to shrug and tell them to get one, even if it's a cheap old one that will only be used on wifi networks.
It's my guess that this political answer is feasible because as a practical matter people mostly have smartphones and mostly have become acclimatized to using them for non-personal purposes like stuff involved with being a graduate (or undergraduate) student. Many people read their university email on personal devices, for example. By comparison to some entanglements, an authenticator app is nothing special, and smartphones actually have a decent reputation for limiting what apps can do (much more so than regular computers).
There's also the technical answer that the various things enabled by not having two factor authentication are becoming more and more damaging in various ways. Since 2016, computer security has utterly failed to significantly prevent or mitigate the damage of password compromises in any other way than making passwords by themselves useless. Forced two factor authentication is not the best solution, it's simply the last solution standing, and something has to be done.
(As a necessary disclaimer, I have no specific information on the university administration's decision making process here. I do know that we're increasingly concerned about the damage that phishing and so on is doing.)