Multifactor authentication (MFA) is no longer preferred security protocol—it is a must. But what makes for a successful MFA implementation? It’s a pretty daunting idea at most organizations, but with the right plan, you can make it work and benefit from it.
At the Hartford, we accomplished both internal and external use of MFA and had a smooth time of it. Our success was largely attributable to an excellent change management strategy and thoughtful execution. I’d like to share some of what we did to help others with their MFA onboarding process.
The first step was putting a lead in place who was an expert at change management. We decided to start employing MFA within our own company first—a sort of test drive before making the ask of our broker partners. Our change leader assembled a team, which had representatives from every department at the Hartford. They did a deep dive into our structures, networks and capacity before ever promulgating even a draft of a solution. That months-long research effort gave them time to learn where our strengths were and where there might be a learning curve.
In the initial stage, we developed a set of benchmarks—key performance indicators—such as the acceptable number of attempted logins, successful MFA logins, denials of access and help desk calls. After extensive communication to and education of our staff on the importance and use of MFA, we deployed it internally.
As MFA went live inside the Hartford, we measured against our key performance indicators to identify problems so we could target corrections to smooth the process before external rollout. We took comments and sought feedback. By the time we moved to external rollout, pretty much all the bugs were removed, and we had a good sense of MFA’s effect on logins and help desk demand, among other systemic processes.
The next step was rolling MFA out to our broker and other partners.
External rollout
Once we had the internal MFA running smoothly, we turned to a select group of agency partners who were willing to work hand in glove with us to implement MFA as part of their interface with us.
We spent time educating the brokerage principals and tech staff about what would be required. That included making sure everyone received their own user ID and password, conforming their systems to certain technical requirements and going through a validation process. All of this is fairly straightforward for most IT staff, and our team was versed on training in case it was needed.
We started communicating with our partners about five months before we turned on MFA. We also had a dedicated help desk, and those specialists would reach out to any group that was having a problem and help get them over the hump. Working with this first batch of agencies gave us good insights for how to improve our outreach as we expanded our efforts to more users.
On the user side, most people are already familiar with MFA through their bank or another institution, such as a computer or cell phone company, so the concept isn’t a shock to the system. If the hidden, technical interface is working well, most people do little more than grumble about the extra step. Then it becomes second nature, and those who think about it are grateful for the added layer of security.
We took a tiered approach. We onboarded 5,000 users one week, then 10,000 the next, etc., bringing on about 90,000 users, the whole time confirming our key performance indicators were within our benchmarks. To ease the actual go-live experience, we sent a daily countdown message to users when they signed on to our systems: “30 days until multifactor authentication will be required for sign-on,” etc. When you do that enough, people can’t wait until that message is gone and MFA begins!
One thing that was particularly important was making sure this was an enterprise effort. For example, producers might talk to only their favorite underwriter, so that person would need a way to escalate any concerns from the producer up to the change management team. Providing that pathway was a very successful and smart thing to do and allowed us to prevent having “silent” pockets of discontent that could manifest in a reduction in business. I’m happy to say there were no serious problems at all, but it was good that everyone on our side knew how to pass along agency information if it did come in.
By taking metrics seriously, we were able to compare implementation across our partners: MGA versus retail agent versus payroll company. Our hypothesis was that there wouldn’t be a difference between the segments of our external partners, and that was true. But that might not be the case with every organization that launches MFA.
See also: 4 Technology Trends for 2022-2023
Lessons learned
We found that both internal and external users were very happy to have a long lead time, a lot of transparency into the reasons for MFA, help with the technical aspects of implementation and suggestions for educating staff. We also decided that some of those key performance indicators were worth integrating into our monthly evaluation of how things are continuing with our agency and other partners.
We think both the KPIs and process-transformation efforts gave us an improved methodology for other change management in the future, so that’s a real bonus from this process.
We also know without a doubt that MFA will give us added protections from some of the most common cybersecurity breaches. If someone does get hold of a username and password, having that secondary layer of authentication should put a halt to unauthorized access to our systems. All in all, MFA is beneficial for cybersecurity at a time when bots and bad guys are working 24/7. I hope your rollout goes as well as ours.