Multi-factor authentication is the single highest-leverage thing most firms can switch on. Microsoft’s own figures put it at blocking the overwhelming majority of account-takeover attacks. If you do one security thing this quarter, it’s this.
And yet plenty of firms half-do it — MFA on some accounts, nagged-about on others, switched off for the partners because they complained. That’s worse than useless, because the unprotected accounts are exactly the ones worth stealing. The reason it gets half-done is always the same fear: a clumsy rollout buries the helpdesk in lockouts and annoys everyone. So here’s how to do it properly without the support pain.
Why the clumsy version backfires.
The bad rollout looks like this: flip MFA on for everyone on a Monday, send one email the night before, and brace. What you get is a morning of lockouts, a queue of confused people, and — worse — a workforce that’s just been trained to tap “approve” on every prompt to make the annoyance go away. That last bit matters, because attackers exploit it directly: bombard someone with prompts at 2am until they approve one just to stop their phone buzzing. It’s called MFA fatigue, and a rushed rollout sets it up perfectly.
So the goal isn’t just “turn MFA on.” It’s “turn on MFA people understand, with a method that resists fatigue, in an order that keeps the helpdesk quiet.”
Pick a method that resists fatigue.
Not all MFA is equal. In rough order of best to worst:
- Passkeys / FIDO2 security keys — phishing-resistant, nothing to approve, nothing to mistype. Where the platform supports them, these are the destination.
- Authenticator app with number matching — instead of a plain “approve?” prompt, the user types a number shown on screen into the app. That one change kills MFA fatigue, because you can’t approve a prompt you didn’t initiate. If you do nothing else, turn number matching on.
- Authenticator app, plain approve — fine, but vulnerable to the 2am-bombardment trick. Don’t stop here.
- SMS codes — the weakest common method (SIM-swap attacks, interception), but still infinitely better than nothing. Use it as a fallback, not the default.
We default clients to the authenticator app with number matching, and move the high-value and admin accounts toward passkeys.
Sequence it: pilot, then waves.
Don’t boil the ocean. The order that keeps the helpdesk calm:
- Pilot with IT and a few willing volunteers. Shake out the enrolment steps and write down the exact “here’s how you set it up” instructions using your screenshots, not Microsoft’s generic ones.
- Roll out team by team, not all at once. A wave of ten people generates a manageable trickle of questions. A wave of two hundred generates a queue.
- Give people a grace window to enrol. Conditional access lets you say “you have until Friday to register, then it’s enforced.” People enrol calmly on their own time instead of being locked out cold.
- Do the partners and admins too — early, not never. Frame it honestly: the accounts most worth protecting are theirs. Help them set it up personally if that’s what it takes. No exceptions is the entire point; one exempt admin account is the gap an attacker walks through.
Use conditional access so it’s not constant.
The complaint underneath “MFA is annoying” is usually being prompted too often. The fix is conditional access: be strict where risk is high, invisible where it isn’t.
- On a managed device, on the office network, doing normal things? Prompt rarely. The system trusts the signals.
- New device, unfamiliar country, or trying to reach something sensitive? Prompt every time.
Set up well, a typical employee on their usual laptop authenticates properly once and then mostly isn’t bothered — while a login attempt from Lagos at 3am gets challenged hard. That’s the experience that makes MFA stick, because it stops feeling like a tax on doing your job. It’s part of the broader identity and access management setup we put in for clients.
Plan the fallbacks before you need them.
Two things will happen, so plan for them:
- Someone gets a new phone and their authenticator is gone. You need a self-service or quick-desk path to re-register that proves who they are without becoming a social-engineering hole. Attackers love calling the helpdesk pretending to be a locked-out exec — so the re-enrolment process needs an identity check that isn’t just “they sounded senior.”
- Someone’s locked out before a big deadline. A pre-agreed temporary-access path beats a panicked phone call. Knowing the fallback exists is also what lets you enforce confidently rather than leaving loopholes open “just in case.”
The whole thing, in one line.
Good MFA is: a fatigue-resistant method (number matching at minimum), rolled out in waves with a grace window, made nearly invisible day-to-day by conditional access, applied to everyone including the leadership, with a sane recovery path. Do it that way and the helpdesk barely notices — and you’ve shut the door on the most common breach there is.
