Organizations have many different ways of implementing multi-factor authentication (MFA). In particular, some organizations have reused preexisting authentication mechanisms such as Active Directory in their MFA implementation, some have not. However, the applications protected by MFA or the devices used for MFA can’t really explain the variety of MFA implementations. What is it then? History? Geography? Random? More importantly than the reason, what are the benefits and implications of the various approaches?