You know that multi-factor authentication (MFA) is the way to go. It was once limited to high-security environments like the government, but that is all changed. Consumer products like Facebook have introduced MFA. If people are using MFA to keep their photos safe, it only makes sense to use it to keep your company’s critical assets well protected. Is this the right time to introduce a new authentication process? Let’s cover that question next.
Should You Introduce Multi-Factor Authentication at Your Company?
Compared to traditional authentication, MFA provides a higher level of security. That said, you may already have your plate full with other technology projects. In that case, it is better to defer the project to the future rather than rushing it through on the side. In our experience, the burning desire to implement MFA is often a reaction to a hacking or cybersecurity incident. Whatever your motivation, here are the steps to introducing multi-factor authentication successfully.
1) Build the Business Case for Multi-Factor Authentication
Putting multi-factor authentication in place requires money, staff, and other support. To get those resources, you will need to make a business case. Make sure you research productivity gains for your team and help desk (i.e., fewer passwords to manage), as well as improved security. Many organizations view cybersecurity investments as an insurance policy against attacks.
Resource: Read How Much Time Should You Spend On Your Password Management Business Case? for additional business case tips.
2) Plan the Multi-Factor Authentication Project
Once your business case is approved, it is time to get down to business. At a minimum, your project plan will include the following components:
- Scope. Define which systems, applications, and performance criteria matter to your organization. For example, you may choose to restrict the scope to your highly sensitive systems with customer data at first. Once you prove your approach, you can always extend the scope in the future.
- Schedule. A project without a deadline is nothing. If you have a limited budget, you may need to extend the timeline. Alternatively, you can accelerate the project’s schedule to a degree by boosting the budget.
- Budget. Your project budget will include several categories, including software, outside consulting and training, and internal cost allocation. When possible, add a small budget for team recognition and celebration at the end of the project.
- Success Criteria. In short, how will you determine if you are successful? This process could be as simple as a before and after comparison. For example, your help desk may typically handle 500 trouble tickets per month for password resets. Take that measurement and compare it to your help desk results after implementing the solution.
Resource: Are you new to project management? Don’t worry — you do not need to start from scratch. Visit ProjectManagement.com for free project management templates. Running each project meeting using a standard agenda file is a great way to save time.
3) Select a Multi-Factor Authentication Solution
At this point, you have the classic project decision: build or buy your multi-factor authentication solution? Creating the solution in-house may be a good choice if you have a large staff of developers and security specialists with time on their hands. Otherwise, buying a multi-factor authentication solution is the best choice.
To make a smart buying decision, develop and use selection criteria to evaluate the different options on the market. The best approach includes multiple selection criteria such as price, industry experience, and the end user experience.
4) Assemble the Implementation Team
At this step, you will assemble your internal project team to implement MFA. At a minimum, we recommend a business analyst, a project manager, and an appropriate IT professional (e.g. a person with authentication or cybersecurity expertise). Add more team members if you are running a larger project.
5) Run a Pilot Test
Let’s say that your project will ultimately impact 1,000 business users. Before you implement the plan for the entire company, we recommend organizing a pilot test. In this case, choose 50 users from different parts of the business (e.g. ten from sales, ten from customer service, ten from operations, and so forth). During the pilot test and afterwards, gather the questions and other feedback you receive to inform your implementation for the rest of the company.
Specific issues to look out for in your pilot test:
- Delays and technical glitches. Expect problems to occur during the pilot. As they come up, you will need to rate these issues (e.g. low, medium, or high importance) and work through fixing them.
- Workflow needs. Observe which systems and applications genuinely matter to your users.
- Surprises. Sometimes, your pilot users will surprise you with other comments! For example, travelling staff may badly want the ability to reset their password by phone.
With these insights in mind, make adjustments to the next stage of your project.
6) Roll Out the Full Program
At last, it is time to roll out the multi-factor authentication program for the whole company. If your project has more than 100 users, we recommend inviting managers to go first. That way, they will be able to promote MFA to their staff. There’s just one more step left in the process.
7) Assign Ongoing Responsibility for Multi-Factor Authentication
Many IT projects fail to deliver long-term value because there is no plan for who will run the system after launch. Don’t let that happen to you! Plan to assign responsibility and maintenance for multi-factor authentication to a knowledgeable manager. If you expect few changes, consider outsourcing this function to a third-party service provider.
Final Thoughts on Multi-Factor Authentication
Adding multi-factor authentication to your security program is a wise move. Alas, it is not a silver bullet on its own. An effective cybersecurity program also requires regular training, identity management, and other components. Take the time to regularly evaluate new cybersecurity threats so you can keep up with the hackers.