'Fraid I thought the last three on passwords and FDE were rubbish. Ghost^Busters!2? is NOT a strong password. As far as enterprise authentication's concerned, it's way beyond time to get TFA. Just stump up. Requiring users to have encrypted laptops is a good idea. But it has to be easy to use because laptops are frequently booted.