Why Your Company's MFA Rollout is Failing (And How to Fix It)

I've watched three separate MFA rollouts fail in the last 18 months.

Not because the technology didn't work. Not because the IT team didn't know what they were doing. But because mfa rollout best practices aren't about technology—they're about people. And most businesses forget the people part.

Here's what happens: IT spends months planning the technical deployment. They choose the right MFA solution. They configure it properly. They write documentation. They schedule the go-live date.

Then day one hits, and 40% of employees can't log in. The help desk gets flooded. Executives complain that they can't access their email on their phone. Someone in sales misses a client call because they left their token at home.

Within a month, exceptions are being granted left and right. Within three months, the whole program is considered a failure.

It doesn't have to be this way.

Why Employees Hate MFA (Even Though They Shouldn't)

Let's be honest: MFA adds friction. Every time you log in, you need something else. A code from your phone. A push notification. A hardware key.

For employees who just want to do their job, this feels like IT making their life harder for no obvious benefit.

I've heard every complaint:

"I already have a strong password"
"This is ridiculous, I just want to check my email"
"I don't have my phone with me at my desk"
"I can't figure out this app"
"The codes never work for me"

Some of these are legitimate usability issues. Some are resistance to change. All of them need to be addressed if your rollout is going to succeed.

The Four Failure Patterns I See Every Time

After consulting on a dozen MFA deployments, I've identified the failure patterns that show up again and again:

Failure Pattern #1: The "Big Bang" Deployment

You announce that MFA will be mandatory for everyone starting Monday. No warning. No preparation. Just: "Surprise! Your login process just changed."

What happens: Chaos. Help desk overwhelmed. Productivity drops. Resentment builds.

Better approach: Phased rollout by department. Start with IT (who can handle the pain). Then early adopters. Then department by department. Learn from each phase before expanding.

Failure Pattern #2: One Size Fits All

You choose one MFA method—let's say Microsoft Authenticator with push notifications—and force everyone to use it.

What happens: The sales rep who lives on their phone loves it. The warehouse manager who leaves their phone in a locker all day hates it. The executive assistant who manages three calendars can't switch between accounts easily.

Better approach: Offer multiple options. Push notifications for most people. Hardware keys for those who need them. Phone call backup for edge cases. Let people choose what works for their workflow.

Failure Pattern #3: No Offline Plan

Someone tries to log in while travelling. Their phone is in aeroplane mode. Or they left it charging in the hotel room. Or they're in a basement with no signal.

What happens: They can't work. They call the help desk. The help desk has no process for this. Someone eventually just disables MFA for them "temporarily." (It never gets re-enabled.)

Better approach: Provide backup codes. Train people to store them securely. Have a documented, secure process for emergency access that doesn't involve just turning MFA off.

Failure Pattern #4: Training That Happens Too Late

You send an email the day before go-live explaining how MFA works. It includes a link to a 15-minute training video.

What happens: Nobody watches it. On day one, nobody knows what to do.

Better approach: Start training weeks in advance. Multiple formats: video, written guide, lunch-and-learn sessions. Make it mandatory. Test people's understanding. Offer one-on-one help for anyone who needs it.

MFA Rollout Best Practices That Actually Work

Here's the playbook I use for successful MFA deployments:

Phase 1: Preparation (4-6 weeks before)

Choose your MFA methods. I recommend offering at least two:

Primary: App-based (Google Authenticator, Microsoft Authenticator, Authy)
Alternative: Hardware keys (YubiKey) for high-risk roles or people who prefer them

Prepare your documentation. Create:

Quick start guide (one page, lots of screenshots)
Detailed FAQ covering edge cases
Video walkthrough (keep it under 5 minutes)
Cheat sheet for help desk staff

Set up your support processes. Decide:

How will you handle lost phones?
What's the process for new employees?
How do you handle contractors and temporary staff?
What's your emergency access procedure?

Phase 2: Pilot (2-3 weeks)

Start with a small, willing group. I usually recommend:

IT team first (they can handle problems)
One "friendly" department next (people who are generally positive about security)
Gather feedback obsessively
Fix problems before expanding

Document every issue. Every confused user. Every edge case. Update your documentation based on real questions.

Phase 3: Phased Rollout (6-8 weeks)

Roll out department by department. Don't rush this.

For each department:

Announce 2 weeks in advance
Hold a training session (in person if possible)
Have IT staff available for go-live day
Check in after one week
Address issues before moving to the next department

Key principle: People should never feel abandoned. They should always know who to ask for help.

Phase 4: Enforcement (ongoing)

Once everyone is set up, enable enforcement. But do it with a safety net:

Warning emails before enforcement kicks in
Grace period where people can still log in without MFA but get reminded
Clear escalation path for legitimate exceptions

Monitor your metrics:

What percentage of accounts have MFA enabled?
How many help desk tickets related to MFA?
How many people are using backup codes?
How many temporary exceptions granted?

Securing your workplace? You're probably your family's IT person too.

The same principles that protect enterprise data—multi-factor authentication, access control, verification—work just as well at home. But most families have none of it.

Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.

Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.

Get The Free Guide →

The Executive Exception Problem

Here's a dirty secret: executives are often the worst MFA adopters.

They have assistants who manage their calendars. They have multiple devices. They travel constantly. They have legacy systems that don't support modern authentication.

And—let's be honest—they're used to getting exceptions made for them.

You cannot afford to give executives an exception.

If your CFO doesn't use MFA, attackers will target them specifically. And when (not if) their account gets compromised, it will be catastrophic.

Here's how to handle it:

Get executive buy-in before the rollout
Give them white-glove support (someone sits with them to set it up)
Solve their specific problems (multiple devices, assistant access, etc.)
Make it clear: no exceptions, but full support

I've personally sat with CEOs and walked them through MFA setup. It's 15 minutes of their time. They can handle it.

Measuring Success (Beyond "Everyone Has It")

A successful MFA rollout isn't just "everyone has MFA enabled." It's:

Help desk tickets return to normal levels within a month
No active temporary exceptions after 60 days
Users can explain why MFA matters (not just how to use it)
Adoption of additional security features (password managers, etc.)
Reduced successful phishing attempts

Track these metrics. Report them to leadership. Celebrate wins.

The Technical Details Nobody Talks About

Beyond the human factors, there are technical mfa rollout best practices that matter:

Enable risk-based policies. Don't just require MFA every time. Use conditional access:

Require MFA for new devices
Require MFA for unusual locations
Require MFA for sensitive applications
Skip MFA for trusted corporate devices (if appropriate)

Plan for legacy applications. Some old systems don't support modern authentication. You need a plan:

Can you upgrade them?
Can you put them behind a reverse proxy with MFA?
Can you retire them?
If not, how do you secure them differently?

Consider phishing-resistant MFA. SMS codes and push notifications can be phished. FIDO2 hardware keys can't. For your highest-risk users (IT admins, executives, finance), consider requiring hardware keys.

What If It's Already Failing?

If your MFA rollout is struggling, don't panic. You can recover.

Step 1: Acknowledge the problems. Survey your users. Find out what's actually wrong.

Step 2: Pause enforcement. Give people breathing room while you fix issues.

Step 3: Fix the top 3 problems. Usually these are:

Insufficient training/support
Poor MFA method choice
Edge cases not handled

Step 4: Re-communicate. Be honest about what went wrong and what's changing.

Step 5: Relaunch with the fixed approach.

I've helped businesses recover from failed rollouts. It's never too late to fix it.

Start With Your Own Accounts First

Here's my challenge to you: if you're planning an MFA rollout at work, start with your own personal accounts.

Set up MFA on your:

Personal email
Bank accounts
Social media
Password manager

Experience it as a user. Feel the friction. Figure out what works and what doesn't.

Because the best mfa rollout best practices come from people who actually use MFA every day—not just implement it.

And if you want to learn more about protecting your personal accounts alongside your work ones, check out our guide to building a proper incident response plan. Because when MFA fails—and occasionally it does—you need to know what to do next.

Mathew Clark
Founder, SecureInSeconds
Currently: Enabling MFA on every account I own, including the coffee shop loyalty program

Further Reading:

ACSC guidance on multi-factor authentication
CISA's MFA fact sheet
Our guide to incident response planning — because MFA is just one layer of defense