Technology Cybersecurity Identity & Access Security

Multi-Factor Authentication

High scrutiny and high blast radius; proof and governance matter.

Duo (Cisco) Okta Microsoft RSA
Inside this journey
  1. Customer Discovery

    Map application coverage gaps, failure modes (e.g., VPN/RDP/legacy apps), stakeholders, and pilot success signals (helpdesk delta, enrollment rate, insurance attestation).

    Discovery Questions

    Quick Snapshot — Where are you right now?

    • Tell me briefly about your org size, industry, and the person driving the MFA decision (title + team).
    • Which statement best describes why you're evaluating phishing‑resistant MFA today? Options: Failed/flagged in a cyber insurance audit, Recent credential-stuffing or account takeover incident, CISO mandate to remove SMS-based MFA, Proactive risk reduction / compliance roadmap, Other
    • Which parts of your environment are top priority for this project? Options: Cloud SSO (IdP), Corporate VPN, RDP / Remote Desktop, SSH / Admin access, Legacy on-prem apps (forms/basic auth), Customer-facing portals, Other
    • How mature is your IAM capability today (pick the best fit)? Options: IdP-only for SSO, no device controls, IdP + basic policies, gaps on VPN/legacy, Established IdP + MDM + conditional access, Dedicated IAM team and mature processes
    • Rough timeline you're targeting for a pilot and initial decision (months)? Options: Immediate / This month, Next 1–2 months, 3–6 months, 6+ months, No set timeline

    Are we comfortably ignoring the gaps—or is something already exploding?

    • Which critical access points would make you lose sleep if they were compromised tonight? Options: Corporate email, VPN access for remote staff, RDP / remote admin tools, SSH to production systems, Customer portal/accounts, HR/payroll systems, Other
    • Which of those high‑risk access points currently lacks phishing‑resistant MFA (be specific)? Options: Cloud SSO protected, VPN lacks phishing‑resistant options, RDP uses legacy MFA or passwords, SSH not centrally managed, Legacy apps allow password only
    • Have you had incidents where attackers exploited MFA gaps (credential stuffing, SIM swap, prompt bombing)? Describe one recent example and impact.
    • When you think about those incidents, what's the single hardest consequence you felt (financial, reputational, insurance, operational)? Options: Increased insurance premiums, Customer data exposure, Operational downtime, Executive escalation/reputational damage, Regulatory scrutiny, Other
    • Has cyber insurance required a change in controls already, or is it a future renewal concern? Options: Already required (audit failed), Flagged as likely at renewal, Not currently required but concerned, Unsure / need to check

    Who's actually responsible when the pager goes off?

    • If we needed a rapid decision during the pilot, who signs off on go/no‑go (role names)?
    • Which stakeholders must be consulted or will push back during rollout? Options: Security (CISO/Dir), IT Ops/Infrastructure, Helpdesk / Service Desk, Legal / Compliance, HR, Engineering / DevOps, Finance, Executive sponsor
    • How does your helpdesk currently handle MFA-enrollment calls—ticketing system and average SLA? Options: In-house helpdesk (<8 agents), In-house helpdesk (8–25 agents), Shared IT support / outsourced, No formal helpdesk
    • Who will be the day‑to‑day owner of the pilot (name/title) and who is the executive sponsor?
    • When decisions conflict (security vs. user convenience), which team typically wins and why? Options: Security enforces, IT balances security + usability, Business units push back, Depends on exec sponsor

    Where does enrollment turn into a riot—and how do we avoid it?

    • Which enrollment methods are acceptable for your users in the pilot? Options: Self‑service web enrollment, IT-assisted onsite provisioning, Bulk provisioning of hardware keys, Email/phone-assisted enrollment, Other
    • What percentage of your workforce is likely to have smartphones or platform biometric devices? Options: >90%, 70–90%, 50–70%, <50%, Unsure — need to inventory
    • How many users can you realistically support for IT-assisted provisioning in the pilot (numeric or range)? Options: <50, 50–200, 200–500, 500–1,000, >1,000
    • What is your current baseline: average daily helpdesk tickets related to legacy MFA / password resets? Options: 0–10, 11–50, 51–200, 201–500, >500, Unknown / not tracked
    • Describe any groups or personas likely to resist hardware keys or biometric methods and why (field sales, contractors, manufacturing, etc.).

    Technical blind spots I'd hate to find mid‑pilot

    • Which IdP do you use and can we get admin-level integration access for a pilot (Okta, Azure AD, Ping, other)? Options: Okta, Azure AD / Entra, Ping, Google Workspace, On-prem IdP / ADFS, Other
    • What VPN/RDP/SSH vendors or protocols are in play that we must integrate with? Options: Cisco AnyConnect / ASA, Palo Alto GlobalProtect, OpenVPN / OpenConnect, Fortinet VPN, Windows RDP / RD Gateway, OpenSSH / Bastion hosts, Other
    • Do you have device management or hygiene in place (MDM/endpoint manager, disk encryption, EDR)? Please list existing controls.
    • Which legacy apps still accept username/password or basic auth and will require special connectors or proxies?
    • What telemetry and logs can you export for pilot analysis (helpdesk ticket IDs, authentication logs, conditional access logs, VPN logs)? Options: Authentication logs (IdP), VPN logs, Helpdesk ticketing data, Device posture/MDM logs, None readily available, Other

    How will we know the pilot actually worked?

    • Pick the primary success signals you need to see to convince finance/security to expand. Options: Helpdesk ticket reduction (absolute), Enrollment completion rate, Full-app coverage during pilot, Reduction in successful phishing/credential attacks, Insurance attestation obtained, Compliance evidence (NIST 800-63)
    • What target thresholds would you set for those signals (e.g., 75% enrollment, 40% helpdesk reduction)?
    • Who must sign the pilot acceptance checklist (roles), and what would make them say 'no'?
    • How frequently would you like pilot progress updates and in what format? Options: Daily dashboard, Weekly executive summary, Bi-weekly deep review, Ad-hoc on major events
    • If insurance attestation is a goal, what documentation will your insurer require (explicit list if known)? Options: NIST 800-63 evidence, Positive control attestation, Enrollment and coverage metrics, Device hygiene proof, Unsure / will ask insurer

    Worst-case: what could stop this from rolling beyond the pilot?

    • Which risks keep you awake when you imagine a company-wide rollout? Options: Helpdesk overload, User pushback / productivity loss, Legacy app incompatibilities, Vendor or network constraints, Budget shortfall, Regulatory blockers
    • Which of those risks are already funded or planned to be mitigated, and which are unknown? Options: Fully mitigated, Partially mitigated, Recognized but no plan, Unknown / need to investigate
    • What is your fallback plan for users who cannot enroll (temporary bypass, emergency single-use codes, IT-provisioned keys)? Options: Temporary bypass with monitoring, IT-provisioned hardware, Helpdesk-assisted manual verification, No bypass allowed, Other
    • If we identified a show-stopping compatibility issue mid‑pilot, who has the authority to pause expansion and what criteria trigger that pause?
    • Assuming we clear the pilot, what are the top three priorities you want the vendor to own during expansion? Options: Reporting & compliance export, Helpdesk enablement & scripts, Hardware key logistics, IdP policy automation, Adaptive risk tuning, Other
  2. Solution Experience

    Design a pilot that ties the customer’s current state to measurable outcomes, showing how phishing-resistant factors and adaptive risk will behave across SSO, VPN, RDP, SSH, and legacy apps.

    Experience Meetings

    • Current State & Business Impact Alignment
    • Pilot Success Criteria & Measurement Planning
    • Pilot Design: Applications, Cohort & Enrollment Flow
    • Technical Integration & Adaptive Risk Mapping
    • Pilot Runbook, Support Plan & Acceptance Review

    Issues & Enhancements

    • Seller to deliver detailed authentication flow diagrams per access path and a test-case matrix linked to KPIs.
    • Agree helpdesk fallback flows and escalation paths to limit ticket blow-up during enrollment.
    • Customer to provide application owners and a short checklist of current auth methods for each target app.
    • Seller to produce a visual single-enrollment user flow for review and sign-off.
    • Customer to nominate helpdesk POCs and provide current SLA/ticket handling stats for baseline comparison.
    • Integration Inventory
    • Produce a per-access-path authentication map that shows where phishing-resistant factors and adaptive risk apply and what data will prove outcomes.
    • Agree a suite of prioritized test cases that, when executed, will constitute the 'proof' portion of the Solution Experience.
    • Identify all technical blockers and assign owners with deadlines to remove them before pilot start.
    • Confirm fallback recovery flows and that helpdesk scripts are sufficient for the identified failure modes.
    • Introductions & Objectives
    • Customer IT to provision test accounts and grant needed access to connectors or a staging environment.
    • Create helpdesk runbook drafts for the defined failure modes for review in the Pilot Runbook meeting.
    • Wave Scheduling & Owner Assignments
    • Finalize a detailed pilot runbook with wave dates, owners, monitoring dashboard links, and helpdesk SLAs.
    • Confirm the exact set of exportable reports and evidence required for NIST 800-63 mapping and insurer attestation.
    • Agree the go/no-go decision rule, signatories, and the post-pilot expansion path if successful.
    • Ensure communications and change management assets are assigned and scheduled for release aligned to wave starts.
    • Seller to produce the final pilot runbook PDF including dashboards, wave schedule, and acceptance checklist.
    • Customer to schedule helpdesk staffing for pilot waves and provide a primary escalation contact.
    • Both parties to confirm the date/time for a pilot kick-off call and the go/no-go review meeting at pilot end.
    • Produce a single-sentence Current State that accurately captures coverage gaps and failure modes.
    • Quantify consequence into 2–3 measurable KPIs (helpdesk ticket delta, enrollment rate target, insurer attestation requirement).
    • Agree a one-sentence Future State that the pilot must prove operationally.
    • Identify the primary decision-maker and approvers for pilot success criteria.
    • Customer to provide current baseline metrics: weekly auth-related helpdesk tickets, legacy app list, current MFA methods per app.
    • Seller to draft one-sentence Current State, Consequence, and Future State and circulate for sign-off.
    • Schedule Pilot Design Workshop with technical and business stakeholders.
    • Review agreed Future State
    • Agree a concise list of 4–6 pilot KPIs with numeric targets and measurement methods.
    • Confirm telemetry sources and responsibility for each data feed required to prove outcomes.
    • Define the acceptance rule (how many metrics must meet target for pilot to pass) and reporting cadence.
    • Identify any missing instrumentation gaps and assign owners to close them before pilot start.
    • Seller to provide a KPI measurement template that maps each KPI to data source, owner, and extraction method.
    • Customer to grant access to sample logs or a sandbox IdP account for telemetry validation.
    • Assign an analytics owner (customer or seller) responsible for producing pilot reports.
    • Pilot Scope Review
    • Produce an agreed pilot scope listing applications, connectors, and cohort makeup.
    • Finalize the enrollment flow that will be used in the pilot and an estimated enrollment completion time per user.
    • Define policy groups and key adaptive risk rules to be exercised during the pilot.
    • Define Pilot KPIs
    • Enrollment Monitoring & Live Metrics
    • Authentication Flow Mapping
    • Cohort Selection & Enrollment Method
    • Current State Diagnosis (forced statement)
    • Single-Enrollment Experience Flow
    • Telemetry & Data Sources
    • Test Cases & Proof Points
    • Helpdesk Staffing & Escalation
    • Consequence Quantification
    • Policy Groups & Adaptive Risk Rules
    • Define Future State (one sentence)
    • Acceptance Checklist & Go/No-Go
    • Reporting & Evidence for Attestation
    • Failure Mode & Recovery Drills
    • Validation Methodology
    • Communications & Change Management
    • Validation & Next Steps
    • Helpdesk & Fallbacks
    • Timeline & Resource Check
  3. Solution Scope

    Define scope: IdP connectors, target applications, pilot cohort, enrollment methods (self-service vs IT-assisted), policies, telemetry, and compliance report requirements.

    Scope Configuration

    • Integrate with Identity Provider (SAML/OIDC/SCIM)
    • Deploy Self-Service Enrollment Portal
    • Provision FIDO2 Hardware Keys and Registration
    • Enable Platform Biometrics (Windows Hello/Touch ID)
    • Activate Push MFA with Number Matching
    • Deploy VPN and RDP Authentication Connectors
    • Integrate SSH Certificate-Based Access
    • Install Legacy App Access via Reverse Proxy
    • Integrate Device Posture and Health Signals
    • Enable Adaptive Risk Policies and Step-up
    • Configure IT-Assisted Enrollment and Kiosk
    • Generate Exportable Compliance Reports (NIST/Insurance)

    Scope Questions

    Integrate with Identity Provider (SAML/OIDC/SCIM)

    • Which identity provider(s) do you currently use or plan to integrate? Options: Okta, Azure AD, OneLogin, Ping, Google Workspace, Custom SAML/OIDC, Other (describe)
    • Which protocols are required for integration? Options: SAML, OIDC/OAuth2, SCIM (user provisioning)
    • Do you require automated user provisioning (SCIM) or will you manage users manually? Options: Require SCIM provisioning, Manual provisioning only, Hybrid (some groups SCIM)
    • Are there existing service accounts, certificates, or technical contacts available for IdP integration (provide ARNs/IDs or contact role)?
    • What is the expected number of identities / MAUs in the pilot scope? Options: <100, 100-500, 501-2,000, 2,000+
    • Are there session or SSO timeout policies that must be preserved or overridden? Options: Preserve existing policies, Override with platform policies, Need to discuss per-application

    Deploy Self-Service Enrollment Portal

    • Do you want self-service enrollment enabled for the pilot cohort? Options: Yes, fully self-service, No, IT-assisted only, Hybrid: self-service with IT fallbacks
    • Which enrollment channels should be available? Options: Web portal, Mobile app (iOS/Android), Email invite, On-prem kiosk/desktop
    • Do you require branding, custom instructions, or multiple language support on the portal? Options: Branding only, Branding + multilingual (list languages), No custom branding
    • What user identity verification step is required during enrollment (e.g., SSO auth, SMS verification, IT code)? Options: SSO-authenticated, Email link, SMS/phone verify, IT-issued code, Other (describe)
    • Are there accessibility, legal, or privacy constraints to enforce on the enrollment UI? Options: Yes (describe), No
    • What enrollment success metrics do you want tracked during the pilot (e.g., time-to-enroll, completion rate, helpdesk calls)? Options: Time-to-enroll, Completion rate, Helpdesk ticket count, User satisfaction, Other (describe)

    Provision FIDO2 Hardware Keys and Registration

    • Will the pilot include physical FIDO2 key issuance? Options: Yes — org-provided keys, No — user-owned keys only, Optional/Varies by user
    • Which FIDO2 form factors do you plan to support? Options: USB-A, USB-C, NFC-enabled, Bluetooth, Platform authenticators (TPM)
    • How many keys will be procured for the pilot and what is the procurement timeline?
    • Do you require key lifecycle management features (inventory, attestation, replacement, revocation)? Options: Yes, No, Partial — only replacement/revocation
    • What is your lost/stolen key policy and recovery path for users without a second factor? Options: IT re-issue after verification, Temporary OTPs, Kiosk re-provisioning, Other (describe)
    • Do certain user groups require hardware-only (no platform biometrics) for compliance reasons? Options: Yes (list groups), No

    Enable Platform Biometrics (Windows Hello/Touch ID)

    • Which platform biometric methods should be enabled during the pilot? Options: Windows Hello (PIN/biometrics), macOS Touch ID, Android Biometric API, iOS Face ID/Touch ID
    • Do endpoints need to be managed via MDM for platform biometric enforcement? Options: Yes — MDM required, No — allow unmanaged devices, Partial — corporate devices only
    • Are there regulatory or privacy constraints around biometric use in your organization or regions? Options: Yes (describe), No
    • How many devices are expected to support platform biometrics in the pilot cohort? Options: <50, 50-200, 200-1,000, 1,000+
    • What fallback authentication should be allowed when platform biometric is unavailable? Options: FIDO2 key, Push with number matching, Temporary OTP, IT-assisted re-enroll
    • Do you require telemetry on biometric enrollments and failures exported to security teams? Options: Yes, No

    Activate Push MFA with Number Matching

    • Do you want push notifications with number-matching enabled as part of the pilot? Options: Yes, No, Optional/Hybrid
    • Which mobile platforms must be supported for push notifications? Options: iOS, Android, Both, Other (describe)
    • Should number matching be enforced everywhere or only for high-risk or legacy apps? Options: Enforce for all push auths, Enforce only for step-up/high-risk, Do not enforce
    • Do you need push delivery failover (SMS/OTP) for offline or push-blocked devices? Options: Yes — SMS fallback, Yes — OTP fallback, No fallback allowed
    • Are there enterprise mobility management constraints affecting push tokens or background delivery? Options: Yes (describe), No
    • What privacy/consent messaging should be presented to users when enabling push notifications?

    Deploy VPN and RDP Authentication Connectors

    • Which VPN solutions and versions need connectors (e.g., Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet)?
    • Do you require RDP protection for direct RDP, RD Gateway, or third-party gateway solutions? Options: Direct RDP, RD Gateway, Bastion / Jump host, Other (describe)
    • Are connectors deployed on-premises (connector appliance) or in cloud-hosted environments? Options: On-prem connector, Cloud-hosted connector, Both
    • Will the VPN/RDP connector need to support legacy authentication (NTLM/kerberos passthrough) or only modern auth? Options: Legacy passthrough required, Modern auth only, Mixed — per-application
    • What is your expected peak concurrent VPN/RDP sessions during the pilot? Options: <50, 50-200, 200-1,000, 1,000+
    • Are network/firewall changes required to allow connectors to communicate with the platform (egress rules)? Options: Yes — changes required, No — open already, Unsure — need assessment

    Integrate SSH Certificate-Based Access

    • Do you currently use SSH key-based authentication, password SSH, or a mix? Options: Key-based, Password-based, Mixed
    • Do you have an existing internal CA/PKI for SSH certificate issuance or require the platform to provide a CA workflow? Options: Existing internal CA, Platform-managed CA, Need recommendations
    • Which server classes and environments should be included (production, staging, developer laptops, containers)? Options: Production, Staging/QA, Developer workstations, Containers/ephemeral
    • Do you need automated short-lived certificate issuance tied to user MFA at SSH session start? Options: Yes — short-lived certs required, No — long-lived keys OK, Optional
    • Are jump hosts or bastions in scope and do they require federation/integration? Options: Yes — include bastions, No
    • What rotation and revocation policy is required for SSH credentials? Options: Automatic short-life rotation, Manual rotation, On-demand revocation only

    Install Legacy App Access via Reverse Proxy

    • Which legacy apps need coverage via reverse proxy (list app names, hostnames, auth types)?
    • What authentication methods do the legacy apps use today (form-login, NTLM, header-based, custom tokens)? Options: Form-based login, NTLM/Integrated Windows Auth, Header-injection SSO, Custom/Proprietary
    • Are there session-sharing or cookie-scope constraints the proxy must preserve? Options: Yes (describe), No, Unsure — need assessment
    • Do any legacy apps require client-side agents or special ports that the proxy must support? Options: Yes (describe), No
    • Is in-app single sign-on required after proxying, or is re-authentication acceptable? Options: True SSO post-proxy, Re-authentication acceptable, Hybrid per-app
    • Do you require phased rollout per-app with smoke-testing windows and rollback procedures? Options: Yes — phased with rollback, No — full cutover, Undecided

    Integrate Device Posture and Health Signals

    • Which device posture attributes are required for access decisions? Options: OS patch level, Disk encryption, Antivirus/EPP status, MFA enrollment, Jailbreak/root detection
    • Do you have an MDM (Intune, Jamf, Workspace ONE) or EDR (CrowdStrike, SentinelOne) to integrate with? Options: Microsoft Intune, Jamf, Workspace ONE, CrowdStrike, SentinelOne, Other (describe), None
    • How should non-compliant devices be handled? Options: Block access, Step-up to higher auth, Allow with warning, Quarantine with limited access
    • Are BYOD devices in-scope for posture checks or only corporate-owned devices? Options: BYOD included, Corporate devices only, Hybrid by user group
    • What telemetry and reporting on device posture do security/compliance teams require? Options: Real-time alerts, Periodic reports, Dashboard only, Exportable audit logs
    • What remediation UX is preferred (self-remediation steps, IT ticket, automated patching)? Options: Self-remediation steps, IT ticket creation, Automated remediation, Other (describe)

    Enable Adaptive Risk Policies and Step-up

    • Which risk signals should be considered for adaptive policies? Options: Impossible travel, New device, Network reputation, Unusual app access, High-risk geolocation
    • For sensitive applications, what step-up authentication methods are acceptable? Options: FIDO2 hardware key only, Platform biometrics, Push with number matching, SSH cert issuance
    • What tolerance for false positives is acceptable (i.e., how often can legitimate users be stepped up)? Options: Low tolerance — avoid disruptions, Moderate — some step-ups OK, High — strict risk blocking
    • Do you require separate policy tiers for user groups (IT, engineers, execs, contractors)? Options: Yes — per-group policies, No — uniform policy, Some groups only
    • Are there regulatory or insurer-driven risk controls that must be enforced by policy? Options: Yes (describe), No
    • How should policy changes be tested and approved before org-wide enforcement? Options: Pilot-only testing, Staged rollout with rollback, Immediate enforcement after approval
  4. Mutual Commit

    Confirm commercial terms, pilot acceptance criteria, timeline, roles (security, IT, helpdesk), and go/no-go conditions for expansion.

    Agreement Modules

    • Non-Disclosure Agreement (NDA)
    • Master Services Agreement (MSA)
    • Statement of Work (SOW)
    • Commercial Terms & Order Form
    • Payment Schedule & Invoicing
    • Pilot Acceptance Criteria
    • Roles & Responsibilities (RACI)
    • Timeline & Milestones
    • Go/No-Go Decision Plan
    • Data Processing Agreement (DPA)
    • Compliance & Insurance Attestation
    • Support & Escalation Agreement (SLA)
    • Change Order & Scope Management
    • Termination & Exit Plan
    • Renewal & Expansion Option
    • Technical Onboarding & Access Checklist
    • Hardware Provisioning & Logistics
  5. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Validate technical prerequisites: IdP access, VPN/RDP/SSH connectors, device hygiene checks, fallback provisioning, and helpdesk staffing/FAQ readiness.

      Readiness Questions

      Quick Grounding: Who You are and Why We're Here

      • Tell us in one sentence why you’re exploring a phishing‑resistant MFA pilot right now.
      • Which event most directly triggered this project? Options: Failed cyber insurance audit, Post-breach credential compromise, CISO mandate to remove SMS MFA, Routine security hardening, Other
      • Who is sponsoring or driving this initiative inside your organization? Options: Director of IT Security, Security Operations Manager, CISO/Head of Security, VP IT/Infrastructure, Head of Risk/Compliance, Other
      • What is your preferred timeline to complete the pilot and evaluate results? Options: 1 week, 2 weeks, 3–4 weeks, 6–10 weeks, Quarter or longer
      • Name your single biggest fear about running this pilot in one short sentence.

      What's Kept You Up at Night?

      • If one weakness in your authentication stack were exploited tomorrow, which one would you least want to explain to leadership?
      • Which of the following areas are highest priority for immediate coverage? Options: Cloud SSO (Okta/Azure/etc.), Corporate VPN, RDP/Remote Desktop, SSH access to servers, Legacy on‑prem web apps, On‑prem portals, Other
      • How many incidents (credential stuffing, SIM swap, MFA bypass attempts) have you detected in the last 12 months? Options: None, 1–2, 3–5, 6–10, More than 10, Unsure
      • Describe a recent incident or near‑miss that made the team rethink authentication—what happened and what was the business impact?
      • How does your team balance usability and enforcement today, and who has final say on policy tradeoffs? Options: Security owns policy, Security proposes, IT approves, Executive mandates, Shared consensus, Other

      All Your Doors Locked — Except That One

      • How many critical applications still accept password‑only logins, and why haven’t they been remediated?
      • Which application categories currently lack phishing‑resistant MFA (select all that apply)? Options: Cloud SSO apps, VPN, RDP/VDI, SSH, Legacy on‑prem apps, Third‑party contractor portals, Privileged access tools (bastions), Other
      • Which legacy systems block standard MFA integrations and what specifically prevents integration (protocol limits, vendor EOL, dependency risk, etc.)?
      • Roughly how many external partners or contractors require access, and what access methods are they using today? Options: None, Fewer than 50, 50–200, 200–500, 500+
      • If VPN or RDP access were fully disrupted for a week due to an incident, what would the operational impact be?

      When Helpdesk Calls Turn Into a Fire Drill

      • What level of helpdesk ticket surge during enrollment would you classify as a show‑stopper? Options: No increase tolerated, 10% over baseline, 25% over baseline, 50% over baseline, 100% or more
      • What is your current average monthly volume of authentication‑related helpdesk tickets? Options: 0–50, 51–200, 201–500, 501–1000, 1000+
      • How many staff (helpdesk + IT) can be dedicated to supporting the pilot during enrollment waves? Options: None, 1–2, 3–5, 6–10, 10+
      • Do you have existing helpdesk scripts, KB articles, or an FAQ for MFA issues that can be updated before the pilot? Options: Yes, ready to use, Yes, needs updates, No, but we can create, No, cannot update during pilot
      • Tell us about a past enrollment or change that created unexpected support load—what failed and how long till recovery?

      Are You Ready to Show the CFO a Number?

      • What single metric would convince Finance to fund an org‑wide rollout after the pilot? Options: Insurance premium reduction, Quantified breach risk reduction, Helpdesk cost savings, Regulatory/compliance evidence, Operational uptime / no disruptions
      • Do you have an upcoming cyber insurance renewal or audit that requires phishing‑resistant authentication? Options: Yes — within 3 months, Yes — 3–6 months, Yes — 6–12 months, No immediate renewal
      • Which compliance or evidence types must we demonstrate for auditors/insurers (select all that apply)? Options: NIST 800‑63 alignment, SOC 2 evidence, ISO 27001 mapping, HIPAA, PCI‑DSS, Cyber insurance attestation, Other
      • Which artifacts will your insurer or auditor accept as proof of phishing‑resistant coverage? Options: Enrollment completion report, Exportable compliance report, Configuration snapshots, Third‑party attestation, Helpdesk delta comparison, Other
      • How will you quantify pilot ROI internally (what calculations, stakeholders, and timeline)?

      What Would a No‑Surprises Pilot Look Like?

      • If you could demand three non‑negotiable guarantees from the pilot to avoid surprises, what would they be?
      • Which enrollment methods would you prefer for the pilot? Options: Self‑service single enrollment, IT‑assisted provisioning, Bulk provisioning via IdP, Hardware key distribution, Temporary exemptions
      • Which connectors/access points can you provide for pilot setup (select all we can get access to)? Options: Okta, Azure AD, Ping, On‑prem Active Directory, VPN (Cisco/Juniper/Other), RDP gateways, SSH bastion/Jump server, Other
      • What pilot cohort size would be convincing yet manageable for your stakeholders? Options: 10–50 users, 51–200 users, 201–500 users, 500+ users
      • Which pilot success signals are mandatory for you to greenlight expansion? Options: Enrollment completion percentage, Reduction in helpdesk tickets, Full app coverage validated, Adaptive risk tuning active, Exportable compliance evidence, No business disruption
      • How much maintenance window/time can you allocate for connector work during the pilot? Options: None (no downtime), Off‑hours only, Small windows (<2 hours), Larger windows (>2 hours)

      Who Needs to Own What (Before We Start)?

      • If the pilot doesn’t meet its goals, who in your org will be held accountable—and are they empowered to remove blockers?
      • Which stakeholders must have explicit roles or sign‑off during the pilot? Options: Security lead, IT operations, Helpdesk manager, Compliance / Risk, Engineering / DevOps, HR / Legal, Executive sponsor
      • Do you have an IdP admin who can provide test accounts or temporary access for the pilot? Options: Yes — full admin access, Yes — limited admin access, No — access must be requested, Unsure
      • Is there an existing inventory or app catalog that maps owners to applications and can be shared for pilot planning? Options: Comprehensive and shareable, Partial coverage, Minimal, None
      • What internal communication channels should we use for real‑time pilot updates, escalations, and documentation? Options: Slack, Microsoft Teams, Email, Ticketing system (ServiceNow/Jira), Weekly status calls, Other
      • Any soft constraints we should know about—employee sentiment, procurement timing for keys/devices, or other blockers?
    2. Deployment Enablement

      Execute the pilot with wave scheduling, owner assignments, enrollment monitoring, and live tracking of helpdesk ticket volume versus legacy MFA.

    3. Validation Checklist

      Verify acceptance: enrollment completion, reduced helpdesk tickets, full-app coverage, adaptive risk tuning, and exportable compliance evidence (NIST 800-63, insurer attestation).

      Validation Questions

      Who are we helping and why it matters right now

      • Please share your name, role/title, team, and the employee population size this initiative will cover (e.g., 1,200 employees)
      • What single event or pressure drove you to explore phishing‑resistant MFA today? Options: Failed cyber insurance audit, Credential‑stuffing or account takeover, CISO mandate to remove SMS, Regulatory/compliance deadline, Proactive security program, Other
      • Who is the ultimate decision owner for this project (role) and who do we need to convince beyond them? Options: Director of IT Security, Security Operations Manager, CISO, IT Director, Head of Compliance, Finance/CFO, Other
      • How urgent is this — when do you need demonstrable progress or evidence (pilot results, insurer attestation)? Options: Immediate (within 2 weeks), 30 days, 60 days, 90 days, 6 months+, No firm deadline
      • What will ‘win’ look like to you after the pilot (pick the top two)? Options: Clear insurer attestation, Enrollment ≥ X% of pilot cohort, Helpdesk ticket reduction ≥ X%, Full coverage across defined apps, Executive sign‑off to expand, Other

      Where passwords still hand an attacker the keys

      • You’ve likely secured SSO — where in your environment would an attacker still walk in with just a password? Options: Corporate VPN, RDP / Remote hosts, SSH access, Legacy on‑prem web apps, Service accounts / API keys, Third‑party vendor portals, Other
      • Approximately how many distinct applications or access paths need to be protected (SSO apps + VPN/RDP/SSH/legacy)? Options: <25, 25–100, 101–300, 301–1,000, >1,000, Unsure / need help inventorying
      • Which identity provider(s) and authentication stack components are in use today? Options: Okta, Azure AD, Ping, ForgeRock, On‑prem AD FS, Custom SSO, No centralized IdP, Other
      • How long have these coverage gaps existed (from first detection to now)? Options: Weeks, Months, 1–2 years, Multiple years, Unknown
      • When you think about these gaps, what frustrations or fears come up for you personally or for your team?

      What keeps you awake at 2 AM

      • If you had to name the single worst outcome from continued password‑only access, what would it be? Options: Mass account takeover, Loss of customer data, Major downtime, Failed insurance renewal, Regulatory penalty, Brand/PR damage, Other
      • Have you experienced credential‑stuffing, SIM swap, or MFA prompt‑bombing incidents in the last 24 months? Options: Yes — credential‑stuffing, Yes — SIM swap, Yes — prompt bombing, No incidents, Unsure / investigating
      • When incidents occurred, what were the operational impacts (headcount diversion, financial loss, customer impact)? Please give approximate scale or examples.
      • Who in the organization becomes most vocal when these incidents happen (IT, Legal, HR, Customers, Execs)? Options: IT / Security, Legal / Compliance, HR / People Ops, Customer Success / Sales, C‑suite / CFO, Insurer / Broker, Other
      • How confident are you that current controls (including SMS MFA) would stop a targeted account takeover? Options: Very confident, Somewhat confident, Not very confident, Not confident at all, Don’t know

      When an audit returns a red stamp — what’s actually at stake?

      • Imagine the insurer says you must demonstrate phishing‑resistant MFA — what consequences matter most beyond premiums? Options: Policy cancellation, Coverage limits on CYBER claims, Increased audit frequency, Public disclosure obligations, Loss of specific clients, Other
      • Have you already failed or received a conditional approval from an insurer or auditor on authentication controls? Options: Failed outright, Conditional approval with remediation plan, Passed but with recommendations, No insurance audit yet, Unsure
      • Which compliance frameworks or evidence packages does your insurer or auditor expect (select all that apply)? Options: NIST 800‑63, ISO 27001, SOC2, CIS Controls, Insurer‑specific attestation, Other
      • What artifacts would satisfy your insurer — e.g., exportable reports, enrollment logs, policy maps — and who needs to sign off on them?
      • If we could deliver insurer‑grade evidence in X days, what would be an acceptable window to change your policy status? Options: <7 days, 7–14 days, 15–30 days, 31–60 days, No hard deadline

      Picture a helpdesk that isn’t drowning

      • What is your current monthly helpdesk volume related to MFA, passwords, or access issues (approximate number or range)? Options: <100, 100–500, 501–2,000, 2,001–5,000, >5,000, Unknown
      • Which user groups generate the most MFA support tickets? Options: Engineering/IT, Sales, Field staff, Contractors/Temps, Executive team, Non‑technical staff, Other
      • What helpdesk capacity or SLA is acceptable during a pilot (e.g., we can absorb +10% tickets, or no more than X additional tickets/day)? Options: No increase, +10% tickets, +25% tickets, +50% tickets, Flexible depending on ROI, Other
      • How do your users emotionally react to different MFA methods (hardware keys, platform biometrics, push with number matching, SMS)? Please give quick impressions by method.
      • Are there user populations who cannot use standard enrollment flows (shared kiosks, headless servers, contractors without smartphones)? Please describe.

      Designing a pilot that actually moves the needle

      • Could a focused pilot (1–2 weeks of live telemetry) realistically prove the business case for lowering insurance costs or stopping password‑based breaches? Options: Yes — highly likely, Possible with right scope, Unlikely, No
      • Which exact applications or access methods must be included in the pilot to be persuasive (select top items)? Options: Cloud SSO apps (list examples), Corporate VPN, RDP / Remote Desktop, SSH / Devops access, Legacy on‑prem apps (non‑SSO), Service accounts / APIs, Other
      • Who should be in the pilot cohort (size and makeup)? Options: IT & Engineering only, Engineering + Helpdesk, Cross‑functional representative group, High‑risk users only, 100% of small business unit, Other
      • Which enrollment approach do you prefer for the pilot? Options: Self‑service with guidance, IT‑assisted enrollment, Hybrid (self + IT fallback), Bulk provisioning of hardware keys, Other
      • What metrics and thresholds will you use to declare pilot success (choose up to 4)? Options: Enrollment completion %, Helpdesk ticket delta %, Full‑app coverage achieved, Reduction in high‑risk sign‑ons, Exportable NIST 800‑63 mapping, Insurer attestation obtained
      • What telemetry, dashboards, or exportable reports do you need at pilot end to make a go/no‑go recommendation? Options: Enrollment logs, Helpdesk ticket comparison, Per‑app coverage map, Adaptive risk tuning results, Compliance PDF (NIST 800‑63), Insurer attestation package, Other

      If we could remove one thing — what would you choose?

      • If you could snap your fingers and eliminate one authentication headache today, which would it be and why? Options: No more SMS failures, No coverage gaps (VPN/RDP/legacy), Lower cyber insurance premiums, Fewer helpdesk tickets, Faster access recovery for users, Other
      • What internal objections or political hurdles do we need to plan for (e.g., executive inertia, procurement cycles, union rules)?
      • Who are the likely champions and the likely blockers we should engage early (roles, not names)? Options: Security team, IT operations, Helpdesk, CIO/CISO, Finance/CFO, HR/People Ops, Legal/Compliance, Business unit leaders
      • After a successful pilot, what concrete next step would you commit to within 30 days? Options: Expand to one business unit, Procure hardware keys for all, Begin org‑wide rollout plan, Request insurer premium review, Schedule executive review, Other
      • Finally, what single question do you want us to answer in the pilot report to make your life easier with execs or the insurer?
  6. Success

    Review pilot outcomes, confirm compliance and insurance impact, plan org-wide rollout, and maintain a shared channel for issues and enhancements.

    Success Reviews

    • Pilot Outcomes Review (Diagnosis & Validation)
    • Compliance & Insurance Impact Review
    • Org-wide Rollout Planning Workshop
    • Go / No-Go Decision & Executive Sign-off
    • Operational Handoff & Shared Channel Setup (Support & Enhancements)

    Issues & Enhancements

    • Ensure finance and executive stakeholders are aligned on budget and timeline implications of the decision.
    • Owner to produce one-page 'residual gaps' summary with root causes and proposed fixes.
    • Helpdesk lead to deliver sample ticket logs and average handling times for pilot cohort.
    • One-sentence Compliance Current State
    • Map pilot outputs to the exact evidence insurers and auditors require for phishing-resistant MFA attestation.
    • Agree the delta work and owners needed to obtain formal attestation and estimate insurer premium impact timeline.
    • Secure commitment from insurer-facing stakeholders to engage with provided evidence and confirm acceptance criteria.
    • Generate NIST 800-63 mapping document linking exported reports to specific controls.
    • Assign an owner to coordinate with the insurer and schedule a joint evidence review call if required.
    • Produce an insurer-ready attestation packet (reports + executive summary) for the customer's broker/CISO review.
    • Future State One-Liner
    • Produce a wave-based rollout plan with explicit acceptance gates, owners, timelines, and staffing requirements.
    • Confirm enrollment methods and fallback provisioning to ensure broad coverage without undue user friction.
    • Define KPIs and numeric thresholds that will be validated at the end of each wave before expansion.
    • Draft the detailed wave schedule (weeks, cohorts, apps) and circulate for stakeholder feedback.
    • Helpdesk to create wave-specific runbooks and a training calendar for frontline staff.
    • Procurement to confirm timeline and quantities for any required hardware keys or kiosks.
    • Re-state Acceptance Criteria
    • Secure formal, documented approval to proceed (or to pause) with the org-wide rollout based on evidence.
    • Identify and assign remediation items if decision is conditional and set deadlines for re-review.
    • One-sentence Current State Confirmation
    • Publish signed decision record with attached evidence and remediation plan (if applicable).
    • Notify all key stakeholders and schedule the kickoff for the first expansion wave (if Go).
    • If No-Go, schedule focused remediation sprints and a re-evaluation date within X days.
    • One-sentence Operational State
    • Establish a single shared operational channel and governance model for issues, incidents, and enhancement requests.
    • Ensure runbooks, SLAs, and monitoring handoffs are documented and owners are assigned for operational continuity.
    • Seed the backlog with prioritized items and confirm the triage cadence and owners for ongoing improvements.
    • Create the shared Slack channel (e.g., #mfa-rollout) and invite stakeholders; link the JIRA project and Confluence space.
    • Publish the operational runbook and incident playbook to the agreed Confluence space and assign maintainers.
    • Open initial JIRA tickets for prioritized enhancements and assign triage owners and SLAs.
    • Validate the pilot delivered measurable outcomes that map to the defined future state (enrollment, coverage, reduced tickets).
    • Agree on the specific residual gaps and their quantified business consequences.
    • Produce a short remediation task list with owners and dates that must be complete before go/no-go.
    • Export and share the pilot metrics dashboard (CSV/PDF) showing enrollment, ticket delta, and per-app coverage.
    • Key Metrics Dashboard Walkthrough
    • Shared Channel & Workspace Setup
    • Evidence Walkthrough (Exportable Reports)
    • Evidence Tally vs Criteria
    • Scope & Wave Definition
    • Helpdesk & Support Impact
    • Insurance Attestation Discussion
    • Escalation & Incident Playbooks
    • Enrollment Experience & Methods
    • Risk & Contingency Review
    • Enhancements & Issue Backlog Process
    • Adaptive Risk & Policy Behavior
    • Commercial & Budget Confirmation
    • Support & Training Plan
    • Gap Remediation for Attestation
    • Risk Residuals & Compensating Controls
    • Monitoring, Reporting Cadence & KPIs
    • Telemetry, KPIs & Acceptance Gates
    • Decision & Documented Outcome
    • Failures, Exceptions, and Residual Coverage Gaps
    • Consequence Analysis
    • Timeline, Owners & Dependencies
    • Communication Plan for Decision
    • Sign-off Criteria & Timeline for Attestation
    • Knowledge Transfer & Documentation Handoff
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.