To build a secure system, you need a robust multi-factor authentication system. However, implementing a one-size-fits-all approach doesn't work because different users have different risk levels depending on their role, where they're accessing systems from, and a variety of other factors.
It's critical that you define risk levels up front for different employees, roles, and other categories of users. How are you doing this?