Abstract: Recent years have seen growing organizational adoption of two-factor authentication as organizations seek to limit the damage caused by password breaches. However, research on the user experience of two-factor authentication in a real-world setting is relatively scant. To fill this gap, we conducted multiple waves of an online survey of users at a large public university during its multi-phase rollout of mandatory two-factor authentication for faculty, staff, and students. In addition, we examined multiple months of logs of all authentication events at the university. We found no significant changes in user experience and acceptance of two-factor authentication when it was mandatory for select systems that dealt with sensitive information. However, these factors degraded when users were forced to use two-factor authentication for logging into every single university resource. Our findings can serve as important guidance for the implementation of two-factor authentication in organizations in a way that can help achieve a balance between security and user experience.