Implementing Multi-Factor Authentication (MFA): Strategy, Rollout, and User Adoption

Why MFA is no longer optional

A single compromised password is enough to endanger an entire organization. The attacker logs into the VPN with stolen credentials, moves through the network, gains access to Active Directory, and deploys ransomware. The entire attack chain starts with a password obtained through phishing, credential stuffing, or a database leak.

Multi-factor authentication breaks this chain. Even if the attacker knows the password, they lack the second factor: the authenticator app on a smartphone, the hardware token on a keychain, or the fingerprint on a sensor. Microsoft puts MFA's effectiveness at over 99 percent of all credential-based attacks. Google reports that introducing FIDO2 keys for all employees reduced the number of successful phishing attacks to zero.

Despite these numbers, MFA is still not deployed organization-wide in many companies. A BSI study shows that only about 40 percent of small and mid-market companies in Germany use MFA for all employees. Adoption rates are higher for cloud services, but significant gaps remain for VPN access, internal applications, and service accounts.

The regulatory landscape makes this gap increasingly untenable. NIS2 lists ten minimum measures in Article 21, Paragraph 2 that affected organizations must implement. Point 10 explicitly requires the use of multi-factor authentication solutions. ISO 27001 addresses the topic in Annex A.8.5 (secure authentication) and recommends MFA for access to critical systems. And BSI IT-Grundschutz includes in ORP.4 (Identity and Access Management) the requirement to deploy strong authentication for at least privileged accounts.

The question is no longer whether, but how you implement MFA in your organization. That is exactly what this article is about.

Comparing MFA methods

Not every second factor is equal. The available methods differ significantly in security, usability, and implementation effort. The right choice depends on your risk profile, your infrastructure, and your employees' needs.

TOTP (Time-based One-Time Password)

TOTP is the most widely used MFA method. An authenticator app on a smartphone generates a six-digit code every 30 seconds, which must be entered in addition to the password during login. Popular apps include Microsoft Authenticator, Google Authenticator, and Authy.

Security: Good. TOTP codes cannot be reused and have a short validity period. However, TOTP is not protected against real-time phishing: if an attacker operates a fake login page and the employee enters both password and TOTP code, the attacker can relay both to the real server in real time (adversary-in-the-middle attack).

Usability: Medium. Employees must open the app and type a code at every login. This takes only a few seconds but can feel cumbersome with frequent logins.

Implementation effort: Low. Most cloud services and VPN solutions support TOTP natively. For internal applications, it can be integrated through identity providers like Keycloak or Azure AD.

Cost: Minimal. Authenticator apps are free and run on personal or company smartphones.

Push notification

With the push method, the user receives a push notification on their smartphone after entering the password and confirms the login with a single tap. Some implementations also display a number that must be matched against the one on the login screen (number matching).

Security: Good to very good, depending on the implementation. Number matching protects against so-called MFA fatigue attacks, where the attacker repeatedly triggers login attempts until the user, frustrated, taps "Approve." Without number matching, this method is vulnerable to exactly this attack pattern.

Usability: High. A single tap is faster and more convenient than typing a code. Employees generally accept push-based MFA better than TOTP.

Implementation effort: Medium. Requires integration with the identity provider and distribution of the authenticator app. Microsoft Authenticator and Duo are the most common enterprise solutions.

Cost: Depends on the solution. Microsoft Authenticator is included in the Microsoft 365 licensing model; Duo and other solutions require separate licenses.

FIDO2 / Passkeys

FIDO2 is the gold standard of MFA. The second factor is a hardware security key (e.g., YubiKey) or a biometric feature (fingerprint, facial recognition) verified on the device itself. Authentication is based on public-key cryptography and is bound to the domain of the service. For those interested in the next step beyond MFA, the article on passwordless authentication provides a deeper exploration.

Security: Very high. FIDO2 is the only MFA method that is structurally resistant to phishing. Since authentication is bound to the service's domain, it simply does not work on a fake login page. Adversary-in-the-middle attacks also fail because the challenge-response is cryptographically bound to the legitimate domain.

Usability: High. Insert a hardware key and press a button, or place a finger on the sensor. No code to type, no app to open, no smartphone needed.

Implementation effort: Medium to high. Most modern cloud services and operating systems support FIDO2. However, integration with older on-premises applications can be complex. Additionally, hardware keys must be procured, distributed, and inventoried.

Cost: Hardware keys cost between 25 and 70 euros per unit, depending on the model. For 100 employees (each with a primary and a backup key), that amounts to 5,000 to 14,000 euros. An investment that quickly pays for itself through prevented attacks.

SMS-based codes

A one-time code is sent via SMS to the registered mobile number and entered during login.

Security: Weak. SMS is the least secure MFA method. SIM-swapping attacks, where the attacker redirects the mobile number to their own SIM card, are documented and occur in practice. Additionally, SMS messages are transmitted unencrypted and can be intercepted under certain circumstances.

Usability: Medium. Most employees are familiar with SMS codes from online banking and find the method intuitive. Problems arise when mobile reception is poor or the SMS arrives with a delay.

Recommendation: SMS-based MFA is better than no MFA at all, but it should not be the only option. Use SMS only as a fallback when TOTP or FIDO2 are not possible, and plan the migration to a more secure method.

Which method for which use case?

Rollout strategy: Four phases to success

The most common mistake when introducing MFA is trying to do everything at once. On Monday the policy is issued, on Wednesday MFA is activated for everyone, on Thursday 50 employees call the helpdesk because they cannot log in. This creates frustration, resistance, and in the worst case a demand for an exception that becomes permanent.

A phased rollout avoids these problems. It gives each user group time to prepare, allows IT to identify issues early, and creates internal champions who can support their colleagues.

Phase 1: IT administrators and privileged accounts (weeks 1-2)

Start with the accounts that can cause the most damage if compromised: domain admins, cloud administrators, service account managers, and firewall administrators. This group has the technical understanding to set up MFA on their own and can simultaneously serve as a pilot group to identify problems before the broader rollout begins.

Actions in Phase 1:

• Activate MFA for all admin accounts (FIDO2 preferred, TOTP as fallback)
• Set up and test the break-glass procedure (more on this shortly)
• Create documentation: setup guide, FAQ, troubleshooting
• Configure conditional access policies (e.g., no admin login without MFA, even from the internal network)

Phase 2: Executive leadership and managers (weeks 3-4)

Executive leadership is a prime target for spear phishing and CEO fraud. At the same time, introducing MFA at the leadership level sends a signal: if the executives use MFA, no one can argue it is too cumbersome.

Actions in Phase 2:

• Personal onboarding for executives and managers (not a mass email with instructions, but a brief meeting with setup support)
• Push notification as the preferred method (lowest effort for users)
• Set up a backup method (TOTP or recovery codes in case the smartphone is unavailable)

Phase 3: Departments with access to critical data (weeks 5-8)

Finance, HR, sales (CRM with customer data), and development (access to source code and production environments). These departments process sensitive data and are frequently targeted by focused attacks.

Actions in Phase 3:

• Department-level communication: announcement two weeks before rollout, explanation of the why, setup guide
• Offer training sessions (30-minute sessions where employees set up MFA with guidance)
• Increase helpdesk capacity (more requests will come in during the first week after activation than usual)
• Monitoring: how many employees have set up MFA? How many are having issues?

Phase 4: All remaining employees (weeks 9-12)

The final step: activate MFA for all employees. By this point, you have three months of experience, the documentation is battle-tested, the helpdesk knows the most common issues, and every department has colleagues who already use MFA and can offer support.

Actions in Phase 4:

• Company-wide communication with a specific activation date
• A grace period of two weeks during which MFA is offered but not yet enforced (employees can set it up voluntarily and get used to the process)
• After the grace period expires: enforce MFA through conditional access policies
• Follow up with employees who have not yet set up MFA

User adoption: Taking resistance seriously

The technical introduction of MFA is the easier part. The harder part is user adoption. MFA means an additional step at every login, and every additional step is perceived as an obstacle by a portion of the workforce. That is human and understandable. The task is not to ignore or steamroll this resistance, but to reduce it through communication and usability.

The most common objections and how to address them

"It's too cumbersome for me." Show how fast MFA actually is: a single tap on a push notification takes two seconds. Typing a TOTP code takes five seconds. Compared to the time a ransomware attack costs (days to weeks of downtime), these are negligible seconds.

"I don't want to use my personal smartphone for work." A valid objection. Offer alternatives: FIDO2 hardware keys do not require a smartphone. Some companies provide company phones or use desktop authenticator applications. Do not force the installation of an app on a personal device without consent.

"What if my phone battery dies or I forget it?" That is why backup methods and recovery codes exist. Explain the fallback options in the setup guide and ensure every employee has configured at least one backup method.

"My workstation has no USB port / no Bluetooth." Check the infrastructure before the rollout. FIDO2 keys come in USB-A, USB-C, and NFC variants. Choose the variants that fit your hardware.

"The executives don't need this." The executives need it the most: they are prime targets for spear phishing and CEO fraud, and NIS2 provides for the personal liability of management for cybersecurity measures.

Communication is key

The introduction of MFA does not begin with technical configuration, but with communication. Employees need to understand why MFA is being introduced (not "because IT says so," but "because stolen passwords are the most common entry point for cyberattacks, and MFA reduces this risk by over 99 percent"). They need to know when it affects them, what they need to do, and whom to contact if they have problems.

Communicate early, clearly, and repeatedly:

• Two weeks before: Announcement email with explanation, timeline, and link to the guide
• One week before: Reminder with specific steps and a note about training sessions
• On rollout day: Brief message with helpdesk contact for questions
• One week after: Status update on how many have set up MFA, follow-up on open cases

Emergency access: The break-glass procedure

What happens when an administrator loses their hardware key and their smartphone is broken? What happens when a critical system needs to be patched over the weekend and the only admin with a FIDO2 key is on vacation in a mountain cabin with no cell reception?

Without a break-glass procedure, MFA can paralyze business operations rather than protect them. That sounds paradoxical, but it is a real risk that you must address before the rollout.

What a break-glass procedure is

A break-glass account is an emergency account with administrative privileges that is accessible without the usual second factor. The name comes from the analogy "break glass in case of emergency," like the fire alarm behind the glass panel.

How to implement it

Create dedicated emergency accounts: Set up one or two dedicated break-glass accounts (e.g., emergency-admin@company.com) that are not tied to a single person. These accounts have the necessary permissions to perform administrative tasks and use an extremely long, randomly generated password.

Store the password securely: Print the password and store it in a sealed envelope in a physical safe. Alternatively, use a hardware vault (e.g., a separate, secured password management device). The sealed envelope has the advantage that you can immediately see whether it has been opened.

Log all usage: Configure alerting on these accounts. Every login with a break-glass account must trigger an alert to the security team and executive leadership. Every use must be documented and retroactively justified.

Test regularly: Test the break-glass procedure at least every six months. Does the account work? Is the password still correct? Does the alert fire? Is the safe accessible?

Recovery codes for individual accounts: In addition to the break-glass account, every employee should generate recovery codes during MFA setup and store them securely. These codes allow login when the primary second factor is unavailable.

Common mistakes when introducing MFA

From experience with MFA rollouts in mid-market companies, the same mistakes keep emerging. If you know them, you can avoid them.

SMS as the only second factor

SMS is the least secure MFA method. SIM swapping, SS7 vulnerabilities, and unencrypted transmission make SMS codes attackable. Use SMS only as a fallback when no other method is possible, and plan the migration to TOTP or FIDO2.

No backup method configured

If the only second factor is a smartphone and the smartphone fails, the employee is locked out. Ensure every user has at least one backup method: recovery codes, a second hardware key, or an alternative authenticator app on another device.

Forgotten service accounts

Service accounts generally cannot perform MFA because no human is there to confirm the second factor. They must be secured differently: long, random passwords, IP restrictions, regular rotation, and monitoring. In ISMS Lite, you can track MFA rollout progress per user group and document exceptions for service accounts with a rationale and expiration date. Do not forget them in your MFA planning and explicitly document why they are excluded.

Missing communication before the rollout

Employees who suddenly face an MFA prompt on Monday morning without any prior notice are frustrated and unsettled. Communicate the rollout at least two weeks in advance, explain the reasoning, and offer support.

Exceptions without an expiration date

"The production floor has no Wi-Fi, so we'll make an exception for those employees." Such exceptions are sometimes necessary, but they must not become permanent. Give every exception an expiration date and a plan for how the exception will be resolved (e.g., by providing FIDO2 keys with NFC, which do not require Wi-Fi).

MFA only for cloud services, not for internal systems

Many organizations activate MFA for Microsoft 365 and Google Workspace but forget about VPN access, the internal ticketing system, database access, and admin panels of network infrastructure. Attackers exploit exactly these gaps. MFA must be introduced wherever a compromised account can cause damage.

Practical example: MFA rollout in a 100-employee company

To make the concepts tangible, here is a concrete example. A mid-market company with 100 employees, Microsoft 365 as the cloud platform, an on-premises Active Directory, VPN access for field staff and remote workers, and a handful of internal web applications.

Starting position

• MFA is not activated for any account
• The IT department consists of three people
• The company falls under NIS2 and must demonstrate MFA compliance
• Budget for the rollout: 15,000 euros

Planning (2 weeks)

The IT department defines the MFA strategy:

• Primary method: Microsoft Authenticator with push notification and number matching (included in the Microsoft 365 license)
• For IT admins: YubiKey 5 NFC (FIDO2), two keys per admin (primary + backup)
• For employees without a smartphone: YubiKey 5 NFC (FIDO2)
• Fallback for everyone: Recovery codes, securely stored

Cost: 10 YubiKeys for IT admins (5 admins x 2 keys x 50 euros = 500 euros), 20 YubiKeys as reserve for employees without smartphones (20 x 50 euros = 1,000 euros). Remaining 13,500 euros as a buffer for unforeseen requirements.

Phase 1: IT team (weeks 1-2)

The three IT staff members set up MFA for their admin accounts using YubiKeys. They test the process, document the setup, create an FAQ, and configure the break-glass procedure: two emergency admin accounts with 40-character passwords in sealed envelopes in the executive safe.

Conditional access policy: No admin login without MFA, regardless of location.

Phase 2: Executives and department heads (weeks 3-4)

Personal onboarding for the two managing directors and eight department heads. IT sets up Microsoft Authenticator and explains the number-matching process. Each participant generates recovery codes and stores them in their personal safe or at a defined secure location.

Phase 3: Finance, HR, and Sales (weeks 5-8)

Announcement via email and in the department meeting two weeks before rollout. Two training sessions (30 minutes each) per department, where employees set up MFA with guidance. Three employees without smartphones receive YubiKeys.

Grace period: MFA is offered but not enforced for two weeks. After the grace period expires, the conditional access policy takes effect.

Helpdesk volume in the first week: 12 requests, mainly "app is not showing a code" (solution: app update) and "new smartphone, how do I transfer MFA?" (solution: use backup method, set up MFA on new device).

Phase 4: All employees (weeks 9-12)

Company-wide communication. Two training sessions per week over three weeks. Individual support for employees who need help. After the grace period: 98 out of 100 employees have set up MFA. The remaining two are on parental leave and will be set up upon return (documented exception with expiration date).

Result after 12 weeks

• MFA activated for all active user accounts
• IT admin accounts secured with FIDO2 (phishing-resistant)
• Break-glass procedure set up and tested
• Conditional access policies active for all user groups
• Documentation created for the ISMS: MFA policy, rollout log, exception register
• Total cost: 2,300 euros (hardware keys + IT team labor)
• NIS2 requirement demonstrably met

Integrating MFA into the access control policy

The MFA rollout is an operational measure that must be anchored in your access control policy. This ensures that MFA is not understood as a one-time project but as a permanent requirement that applies to new employees, new systems, and new services.

The policy should cover the following points:

• Scope: For which systems and accounts is MFA mandatory?
• Approved methods: Which MFA methods are allowed? Which are preferred?
• Exceptions: Under what circumstances are exceptions permissible? Who approves them? How long do they remain valid?
• Onboarding: How is MFA set up for new employees?
• Offboarding: How are MFA factors deactivated for departing employees?
• Device loss: What happens when an employee loses their smartphone or hardware key?
• Break-glass: How does emergency access work? Who has access? How is usage monitored?

This policy is simultaneously your evidence for auditors and regulators that you have not only technically implemented MFA but also organizationally embedded it.

The path to passwordless authentication

MFA is an important step, but not the end of the journey. The next logical step is passwordless authentication, where the password is eliminated entirely and login relies exclusively on strong factors like FIDO2 keys or biometric features.

The benefits are clear: no password means no password that can be stolen, guessed, or leaked. Usability improves, and the IT department saves on password resets, which according to studies account for between 20 and 50 percent of all helpdesk requests.

The path to get there leads through exactly the steps described in this article: introduce MFA, establish FIDO2 for critical accounts, gain experience, adapt the infrastructure. Once MFA works organization-wide, the transition to passwordless authentication is a natural next step.

Start now with Phase 1: MFA for admin accounts. The rest follows week by week, phase by phase. In twelve weeks, your organization can be where it needs to be: with organization-wide multi-factor authentication that neutralizes the most important attack vector and demonstrably meets NIS2 requirements.

Further reading

• Creating a password policy: Requirements, length, and passphrases
• NIS2 for mid-market companies: What to do now
• Access and entry control: Creating and implementing a policy
• Recognizing and reporting phishing: A practical guide for employees and IT
• Creating an authorization concept: From role models to recertification