April 30, 2025

Mandatory MFA (Multi-Factor Authentication)? Plan for Lockouts

by
Nametag Team
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Five stars in a line
Learn how

One of the most cost-effective ways to enhance account security is to implement mandatory multi-factor authentication (MFA). However, while MFA does significantly improve security, it also creates a new set of problems: user lockouts, support burdens, and the risk of social engineering attacks which effectively mitigate the security benefits.

This article explores the implications of mandatory MFA and forced MFA resets, and how to minimize lockouts withself-service while maintaining high security.

Mandatory MFA in the News

Numerous high-profile companies have made headlines for rolling out mandatory multi-factor authentication in the wake of data breaches:

  • 23andMe: Implemented forced MFA after a data breach leaked sensitive personal information of nearly 7 million people. In the fallout, the company first blamed its users for poor security hygiene before eventually rolling out forced MFA onto all of its customer accounts.
  • Oracle: Enabled MFA by default for all Oracle Cloud users after a phishing attack exposed numerous accounts. The attack revealed weaknesses in Oracle's user authentication system, prompting the company to implement mandatory MFA to protect their users and organization.
  • Roku: Streaming service provider Roku enforced mandatory MFA after a cyberattack compromised over 500,000 customers. Attackers used phishing and brute force to access user accounts, leading Roku to implement mandatory MFA to prevent further unauthorized access.
  • Snowflake: Announced that they would default to mandatory MFA, following a series of security incidents. This move was part of a broader effort to improve security protocols and protect customer data from increasingly sophisticated cyber threats.
  • Microsoft: In response to a series of widely-publicized data breaches, Microsoft announced mandatory MFA for all users of its Azure platform. Microsoft then announced that all new accounts will be passwordless by default, eliminating passwords entirely in an attempt to remove another common source of breaches.

Why Traditional MFA Leads to Lockouts

Traditional MFA methods, such as SMS passcodes, email passcodes, push notifications, phone calls, and even phishing-resistant passkeys, are not without their flaws. These methods often fail when users change their device or phone number, and can be exploited by sophisticated attackers:

  • Change your device: Passkeys don't work when users switch devices.
  • Change your phone number: Text messages become unreliable.
  • Credential stuffing: Email codes and links can't be trusted.
  • Push fatigue attacks: Push notifications lose their effectiveness.
  • Phone interception and SIM swaps: Phone calls become a security risk.

Even when imposters can't get through your MFA setup, they can simply call your helpdesk or customer support center and trick an agent into granting an account reset. Threat actors like Scattered Spider are notoriously adept at this. And with the rise of generative AI and deepfakes, the threat of social engineering is greater than ever.

"Why would an attacker bother trying to phish your users' credentials to carry out ATO [account takeover], when it may just be easier to call your helpdesk, pretend to be a user and get the credentials reset?" – Akif Khan, VP Analyst at Gartner

The Cost of MFA Lockouts

You’ve mass-enabled MFA for your user accounts; why should you be concerned about a surge in MFA lockouts? Time, cost, and security.

Gartner has found that between 20-50% of all IT helpdesk calls are just for password resets. Add MFA resets to the picture, and it climbs even higher. 

An ideal help desk agent utilization rate is about 48%. How much time is being wasted on password resets, account lockouts, and other such issues?

Translated into dollars, the costs are enormous. A 2018 Forrester study found that every password resets costs an organization $70, on average. Adjusted for inflation, this is over $87 per password reset today. The same study also found that every employee incurs $660 in password resets—adjusted for inflation, this is $795 per employee per year.

Total cost per MFA reset with traditional verification: $87

Some companies have started requiring video calls for MFA resets after Okta’s CSO recommended this approach. But the costs are even more staggering:

  • Employees lose hours of productivity while waiting to regain access.
  • Managers have to drop everything and disrupt their workflows.
  • Helpdesk agents are stuck juggling calendars, not resolving other tickets.

For example, using conservative estimates for average U.S. pay rates for a software developer, senior developer, and IT agent; assuming a visual verification that takes 50 minutes to arrange and 10 minutes to complete; and assuming the employee is locked out for a total of 2 hours:

  • Employee: [$54 per hour] x [2 hours locked out] = $108
  • Manager: [$69 per hour] x [~30 minutes spent on visual verification] = $35
  • IT agent: [$19 per hour] x [1 hour spent on visual verification] = $19
Total cost per MFA reset with visual verification: $162

Preempt MFA Recovery Tickets with Self-Service MFA Resets Protected by Identity Verification

Sending MFA reset tickets to self-service can simultaneously boost security, improve user experiences, and reduce helpdesk ticket volumes by half. But not all identity providers offer a self-service MFA reset option, and those that do rely on outdated verification methods like security questions and email links.

With Nametag’s end-to-end self-service account recovery solution, backed by Deepfake Defense™ identity verification, organizations can finally achieve the security and assurance they require to enable self-service MFA resets.

Learn more about self-service account recovery with Nametag →

Easy setup: Deploy self-service MFA resets in under 10 minutes.

IAM-agnostic: Nametag works across identity providers, with native integrations to Microsoft Entra ID, Okta, Cisco Duo, Beyond Identity and more.

Uniquely secure: Our underlying identity verification technology is uniquely secure against emerging threats like AI deepfakes and injection attacks.

Great user experience: Get people back into their accounts in seconds using only what they already have in their pocket: their phone and their ID.

Conclusion

As organizations continue to adopt mandatory MFA, it’s essential to proactively address the insatiable surge in user lockouts. Lengthy MFA reset processes can leave users frustrated and fed up; while outdated verification methods create enormous security holes that give attackers a “backdoor” into user accounts.

With Nametag, organizations can enable self-service MFA resets that simultaneously enhance security while improving user experiences and reducing the burden on the helpdesks. Get in touch to learn more or request a demo.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies