Rolling out Mandatory Multi-Factor Authentication (MFA)? Plan for Lockouts

by
Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

One of the most cost-effective ways to enhance account security is to implement mandatory multi-factor authentication (MFA). However, while MFA does significantly improve security, it also creates a new set of problems: user lockouts, support burdens, and the risk of social engineering attacks which effectively mitigate the security benefits.

This article explores the implications of mandatory MFA and forced MFA resets, and how to minimize lockouts while maintaining high security standards with self-service.

Mandatory MFA in the News

In recent months, numerous high-profile companies have made headlines for rolling out mandatory multi-factor authentication in the wake of data breaches:

  • 23andMe (November 2023): Genetic testing company 23andMe implemented forced MFA after a data breach leaked sensitive personal information of nearly 7 million people. In the fallout, the company first blamed its users for poor security hygiene before eventually rolling out forced MFA onto all of its customer accounts.
  • Oracle (November 2023): Oracle enabled MFA by default for all Oracle Cloud users after a phishing attack exposed numerous accounts. The attack revealed weaknesses in Oracle's user authentication system, prompting the company to implement mandatory MFA to protect their customers and their organization.
  • Roku (April 2024): Streaming service provider Roku enforced mandatory MFA after a cyberattack compromised over 500,000 customers. Attackers used phishing and brute force techniques to gain access to user accounts, leading Roku to implement mandatory MFA to protect their customers against further unauthorized access.
  • Snowflake (June 2024): Cloud data platform Snowflake announced the introduction of enhanced security measures, including mandatory MFA, following a series of security incidents. This move was part of a broader effort to improve security protocols and protect customer data from increasingly sophisticated cyber threats .
  • Microsoft (July 2024): In response to a series of widely-publicized data breaches, Microsoft has announced that starting in July, MFA will be mandatory for all users of its Azure platform. The breaches involved sophisticated social engineering and phishing tactics that exposed vulnerabilities in single-factor authentication. By requiring MFA, Microsoft aims to address one of the root causes of these breaches.

Why Traditional MFA Leads to Lockouts

Traditional MFA methods, such as SMS passcodes, email passcodes, push notifications, phone calls, and passkeys, are not without their flaws. These methods often fail when users change their device or phone number, and can be exploited by sophisticated attack vectors:

  • Change your device: Passkeys don't work when users switch devices.
  • Change your phone number: Text messages become unreliable.
  • Credential stuffing: Email codes and links can't be trusted.
  • Push fatigue attacks: Push notifications lose their effectiveness.
  • Phone interception and SIM swaps: Phone calls become a security risk.

Even when imposters can't get through your MFA setup, they simply call your helpdesk or customer support center and trick an agent into granting an account reset. Threat actors like Scattered Spider are notoriously adept at this. And with the rise of generative AI and deepfakes, the threat of social engineering is greater than ever.

Why would an attacker bother trying to phish your users' credentials to carry out ATO [account takeover], when it may just be easier to call your helpdesk, pretend to be a user and get the credentials reset? – Akif Khan, VP Analyst at Gartner

The Cost of MFA Lockouts

You’ve mass-enabled MFA for your user accounts; why should you be concerned about a surge in MFA lockouts? Simple: time, cost, and security.

Gartner has found that between 20-50% of all IT helpdesk calls are just for password resets. Add MFA resets to the picture, and that number climbs even higher. 

An ideal help desk agent utilization rate is about 48% — but how much of that utilization is being wasted on password resets, account lockouts, and other such issues?

Translated into dollars, the costs are enormous. A 2018 Forrester study found that every password resets costs an organization $70, on average. Adjusted for inflation, this is over $87 per password reset in 2024. The same study also found that every employee incurs $660 in password resets—adjusted for inflation, this is $795 per employee per year.

Total cost per MFA reset with traditional verification: $87

Some companies have started requiring visual verification calls for MFA resets after Okta’s CSO recommended this approach. But the costs are even more staggering:

  • Employees often lose hours or days of productivity while waiting to regain access
  • Managers have to drop everything and disrupt their workflows to verify their employees
  • Help desk employees are stuck juggling calendars instead of resolving other tickets

To calculate the cost of visual verification calls, multiply and add up:

  • [Employee’s hourly rate] x [Time spent locked out + time spent on visual verification]
  • [Manager’s hourly rate] x [Time spent arranging and doing visual verification]
  • [IT agent’s hourly rate] x [Time spent arranging and doing visual verification]

For example, using conservative estimates for average U.S. pay rates for a software developer, senior developer, and IT agent; assuming a visual verification that takes 50 minutes to arrange and 10 minutes to complete; and assuming the employee is locked out for a total of 2 hours:

  • Employee: [$54 per hour] x [2 hours locked out] = $108
  • Manager: [$69 per hour] x [~30 minutes spent on visual verification] = $35
  • IT agent: [$19 per hour] x [1 hour spent on visual verification] = $19
Total cost per MFA reset with visual verification: $162

Self-Service MFA Resets

Sending MFA reset tickets to self-service can simultaneously boost security, improve user experiences, and reduce helpdesk ticket volumes by half. But not all identity providers offer a self-service MFA reset option, and those that do rely on outdated verification methods like security questions and one-time passcodes.

Thankfully, there’s a solution. Through Nametag’s end-to-end self-service account recovery platform, Nametag Autopilot, organizations can finally achieve the security and assurance needed to enable self-service MFA resets.

Learn more about self-service account recovery →

Setup: Get started with self-service MFA resets in under 10 minutes––it really is that easy

IAM-agnostic: Nametag Autopilot works across identity providers, with native integrations to Microsoft Entra ID, Okta, Cisco Duo, and OneLogin

Uniquely secure: Nametag’s underlying identity verification technology shuts down emerging threats like AI-generated deepfakes and digital injection attacks

Great user experience: Nametag delivers a 2x better user experience using only what people have in their pockets: their phone and their ID

Conclusion

As organizations continue to adopt mandatory MFA, it’s essential to proactively address the insatiable surge in user lockouts. Lengthy MFA reset processes can leave users frustrated and fed up; while outdated verification methods create enormous security holes that give attackers a “backdoor” into user accounts.

With Nametag, organizations can enable self-service MFA resets that simultaneously enhance security while improving user experiences and reducing stress on IT helpdesk teams. Get in touch to learn more or get a live demo.

Secure your helpdesk against social engineering and impersonators.
Decline
Accept All Cookies