All posts
March 27, 20266 minAdoba Yua

Why I cannot remember why finance MFA is 30 days

Six months after a rollout, somebody asked me why the finance pool MFA lifetime is 30 days. I knew I had picked it. I was on the call. I approved the setting. But the reason was gone.

Six months after a rollout, somebody on the security team asked me why the finance pool MFA lifetime is 30 days. Everywhere else in the org it is 12 hours. Finance is the outlier. Why.

I did not remember.

I knew I had picked it. I was on the call. I approved the setting. But the reason it was 30 days, the tradeoff I made, the data I made it against, the person who signed off on the exception, all of that was gone.

I went looking for it.

Slack: thread was archived, search did not surface it.

Notion: we had a page called MFA Policy that was two versions out of date and did not mention finance at all.

Calendar: I found the meeting. Thirty minutes, titled finance auth review, no notes, no recording, two of the attendees no longer at the company.

I spent an afternoon reconstructing why I had set a config six months earlier. I did not fully reconstruct it. I got close. I documented my best guess and moved on.

That experience is why Decision Provenance exists as a thing we built.

The missing thing

Every IT rollout is hundreds of small decisions. Why this threshold. Why this policy. Why that group structure. Why that exception. Each decision is made against some data, with some rationale, by some person, sometimes against some pushback.

The decision gets implemented. The config ships. The reason evaporates.

Six months later somebody asks. Nobody remembers.

The audit trail tells you what was set. It does not tell you why. The Slack thread tells you who was on the call. It does not tell you what the constraint was. The Notion page tells you the policy. It does not tell you the tradeoff that made the policy that way.

What it looks like when the graph remembers

When the rationale, the data, and the signatory are bound to the decision at the moment the decision is made, six months later the answer is one query away. You do not reconstruct. You retrieve.

Why is finance MFA 30 days? Because on 2025-11-04, the finance ops lead made the case that their auth flow runs against three legacy ERP apps that do not handle session rotation gracefully, and a 12 hour lifetime was causing daily lockouts that cost the team an estimated four hours of lost work per week. The CISO signed off on a 30 day exception scoped to the finance pool only, with a review date of 2026-05. Here is the Slack thread. Here is the call recording. Here is the config diff.

That is what I wish I had when somebody asked.

That is what we ship now.

Related problem

Decision Provenance

Trace any implementation choice back to the rationale, the data, and who signed off.

Read how we solve it

More from the blog

April 17, 2026

How I picked an observability platform without trusting a single demo

Three vendors, three polished demos, three curated sample environments. By the end of the week I had no real idea which one would survive a Tuesday incident. So I ran the evaluation inside my own stack instead.

April 10, 2026

Cloudflare One and Tailscale, connected

I run both. That sentence makes some people twitch. Here is why, what it took to make them actually coexist at the DNS, identity, and routing layers, and what the evaluation surfaced before anything shipped.

April 3, 2026

Vendor demos are rigged, and it is not the vendor's fault

Every vendor demo runs on a rigged environment. We do not mean dishonest. We mean set up in advance to make the product look its best. The problem is not the demo. The problem is when you mistake it for an evaluation.