The best way to implement multi-factor authentication lies in applying classic project management. There’s just one twist to keep in mind. You need to pay attention to change management issues because user adoption matters for success.
1) Create Your Multi-Factor Authentication Business Case
Without funding and management support, you will not be able to succeed with multi-factor authentication. As you plan your business case, you need to avoid three failure points.
- Skipping Business Benefits. As a technology professional, you probably feel more comfortable discussing IT benefits (e.g., improved security). Push yourself to “translate” IT benefits into business values. Whenever possible, point out how MFA will reduce cost or improve productivity.
- No Supporters. Logic and facts are enough to win support for multi-factor authentication, right? If only life was that simple. Your MFA business case competes with other security and business projects. To increase your chances of success, seek support from other departments, such as human resources.
- Missing the Technology Context. While less common, we still see this error occur from time to time. Your business case needs to align with other IT projects and systems currently in place. If the organization is already at full capacity with tech projects, you may be better off waiting six months before you propose MFA.
Resource: How long should it take to create the business case? It is difficult to state a general rule. For further guidance on business case planning, read our article: How Much Time Should You Spend On Your Password Management Business Case?
2) Project Planning for Multi-Factor Authentication
At a fundamental level, the following process will help you to design your project plan to implement multi-factor authentication. If your organization has a project management office (PMO), ask if they have guidance or special requirements you need to use.
- Assess Your Current Multi-Factor Authentication State. What authentication practices do you have in place right now? What problems and access governance failures have you seen? Ask auditors and IT security professionals for input on this step.
- Identify User Advocates. To avoid driving your users crazy, we suggest recruiting a few business users to provide feedback and promote the project.
- Identify Schedule Opportunities. You do not want to launch your MFA project at the same time as a significant new product. Examine the corporate plan for the next 12 months to identify any “no-go” time periods.
- Identify Existing Resources to Leverage. If you are considering MFA, you probably have some IT security processes already in place. There’s no need to reinvent the wheel — look at using those materials. For example: add MFA to the company’s annual cyber security training process and new employee onboarding.
- Identify High-Risk Systems and Applications. You may not have the ability to implement multi-factor authentication to the entire organization. If you are in that situation, get the most bang for your buck by focusing on high-risk systems first (e.g., applications that contain live customer data).
3) Select Your Outside Resources
Building on the steps above, you will now start working on your technical approach. Let’s assume that you decide to work with external experts. In that case, you will need to look at two procurement activities.
- Multi-Factor Authentication Software Solution. Rather than attempt to build your solution, look at the marketplace for an existing software product.
- IT Consultant Selection. Look for an IT consulting firm that has experience with identity management and password software projects.
Use multiple selection criteria. It is tempting to buy based on price, but that rarely works out. Instead, use multiple buying criteria, such as industry experience, audit support, and thought leadership. If you are not sure how to design selection criteria, find out how to work with procurement.
Tip: Learn from the mistakes others have made in single sign-on implementation projects. Mistake #4 — using a poorly thought-out buying process — can doom the entire project.
4) Pilot the MFA Process and Be Patient With Users
Changing the authentication process, especially for high use systems like the desktop login, is going to come as a shock to your users. There are ways to reduce the shock. Use the following change management tips to ease the burden on your end users:
- Lead With Time Savings. Explain to your users how the solution will save them time. How? Do a before and after an experiment with a few users. Then you will be able to say “the average user saves 10 minutes per day by using MFA.”
- Avoid the Big Bang Approach. If you have 20 systems to include in your MFA, add 5-10 systems per month so your users can gradually adjust to the change.
- Equip Your Help Desk for Success. Have you ever called a company about a new product, only to get nowhere with the customer support rep? To avoid that failure in your organization, give your help desk extra training and staff to support MFA implementation.
Now we move to the final phase — integrating multi-factor authentication with your business.
5) Transition Multi-Factor Authentication to Operations
After the project team moves on to new opportunities, who will be responsible for your MFA system? Answering this question up front is the best approach. At a minimum, ongoing work on MFA will include the following responsibilities:
- Support IT Security Programs. MFA works best when it is fully integrated with your security processes like annual security training.
- Monitoring and Reporting. Report on time saved and system performance so that management can see the impact MFA is having on the business.
- Identify Additional Improvement Opportunities. The initial MFA implementation may be limited to a handful of systems. What happens when your organization adopts additional cloud services or other technology? The MFA manager needs to be involved and look for ways to add MFA.
It is Time To Get Started on MFA
Are you ready to dive in and learn more about multi-factor authentication solutions? If so, take a look at Password Station. By using Password Station and multi-factor authentication, you can enforce strong password requirements. That is one of the single fastest ways to improve security.