So alternatively when there is not a clear scope or group of target users, offer 2FA only to users who access business critical information or intellectual property, whether the user is an employee or third party and is accessing the information from within the corporate network or from a remote location.