MFA enrollment
Good MFA starts with well-designed MFA enrollment.
Authentication should be simple. The user enters a single username and password, ideally followed by a second MFA factor such as a code or token.
The reality isn’t always this simple. The first barrier whose difficulty is easy to underestimate is enrollment. Sometimes the MFA enrollment instructions (which might come from a service provider rather than an in-house IT team) are ambiguous, confusing users who aren’t computer experts (if yours are, lucky you).
Or perhaps the users are part-time or were on vacation and their time-limited login has expired.
Another wrinkle: confusion about which portal address they should be using, or whether they should use the mobile authenticator app instead.
In other cases, your users might need to use a mobile authentication app, but still receive some form of push notification. This is where two-factor authentication can appear to the users as if it’s turning into three-factor authentication.
Encountering a problem, most users will look for a helpdesk number or email address to contact for advice but, incredibly, even this basic information can sometimes be missing.
The underlying challenge of Active Directory multi-factor authentication, and authentication in general, is that it is not one technology but several different ones that can be implemented in a confusing variety of ways.
Every decision the user is asked to make to untangle this complexity is another step and more unwanted friction. Assuming the user navigates these MFA enrollment hurdles, they will probably be on the defensive about MFA from that moment onwards.
The lesson this points to is that a well-designed MFA project starts with the impression it creates during that first encounter. Getting it wrong will not be cost-free even if the damage is not always visible from the support desk.
And yet most of this problem can be avoided with good pre-rollout testing with a tolerant subset of users before MFA is expanded to the wider workforce.
MFA looks simple but can become a struggle. Security is like this. Enrollment is a hassle. The end user gets confused. There are too many prompts, which is confusing. The help desk should be there but isn't. Some of this happens with passwords but anecdotally it is always worse when MFA is involved.
That's because MFA isn't another technology — it's a completely different way of doing security.
Read More:
How Active Directory authentication works
Plan your UserLock deployment and enrollment
How to enroll remote users with UserLock MFA