Who’s responsible for security when it comes to the cloud? This is a trick question, of course, because from cloud providers to end users, every person on the supply chain has some responsibility. But, the question invites a debate that feels timeless: how to balance security with experience and choice. How do you get to the decision that wearing a seatbelt is such an important safety measure that it can no longer be left to individual discretion, but should instead be law in many countries? The wisdom of this minor tradeoff is generally uncontroversial now, but that wasn't always the case. Identity faces conceptually similar conflicts. Cyberattacks increased substantially across industries since 2020, impacting public and private institutions as well as individuals. Many of these were credential attacks with a simple but effective mitigation: multi-factor authentication. But there’s a catch: user enrollment is generally low, and organizations are reluctant to introduce additional steps (or cost) in their users’ login experiences. I propose that we’re at an inflection point: changes in threat actor activities, as well as advances in user-centric security tools mean it’s time to assess new decision-making paradigms. Join my session to learn more about AWS’ journey to enforcing MFA with a high bar for customer experience. I’ll talk about the process of aligning this decision at AWS scale, what we prioritized in our execution plan, and more food for thought for organizations considering how to define their own new normal in security.