UK’s trusted IT infrastructure partner since 2003
sales@servnetuk.com
0800 987 4111
Servnet
ConfiguratorGet in Touch
How to roll out MFA across your business without the chaos — networkHow to roll out MFA across your business without the chaos — reach
How-To

How to roll out MFA across your business without the chaos

Eleni Vasquez · Data Protection Consultant9 min read

Multi-factor authentication is the highest-value security upgrade most businesses can make - and the one most often delayed, because owners picture help-desk meltdown, locked-out staff and a week of complaints. It does not have to go that way. Roll MFA out in the right order, with a little preparation, and it lands almost invisibly while shutting the door on the single biggest cause of breaches: stolen passwords. Here is how to do it calmly, in phases, so it sticks.

MFA rollout readiness
MFA programme — control mapPRE-1All accounts inventoried, email firstCOREPRE-2Authenticator app chosen as defaultCOREPRE-3Lockout and recovery process agreedCOREEDGE-1Shared mailboxes have an access modelPLUSEDGE-2Non-smartphone staff given hardware keysPLUSEDGE-3Service and admin accounts handled separatelyPLUSENF-1MFA enforced and built into onboardingOPT

Why this is worth a small amount of disruption

It helps to keep the prize in view, because that is what carries you through the rollout. The overwhelming majority of account breaches start with a password that was guessed, reused, phished or leaked. MFA means that even when the password is known, the attacker still cannot get in without the second factor sitting in your employee's pocket.

If you are not yet sold on why a strong password is no longer enough, our explainer on why passwords are not enough makes the case. This article assumes you are convinced and want the practical how-to: getting MFA onto every account with the least possible friction.

Prepare before you switch anything on

A chaotic rollout is almost always an unprepared one. Spend a little time on groundwork and the rest is smooth. There are four things to sort before you enable anything.

  • Inventory your accounts: email and core platform first, then every other business app, including the ones only one person uses.
  • Choose your methods: an authenticator app (a code or a tap on the phone) is the sweet spot for most staff - far stronger than a texted code and free. Keep a backup method for each person.
  • Plan for the edge cases now: shared mailboxes, staff without smartphones, frontline workers, and service accounts that apps use to log in. Each needs a deliberate answer.
  • Decide who handles lockouts and how identity is re-proven, so a forgotten phone is a five-minute fix, not a crisis.

Roll out in waves, not all at once

The fastest way to cause chaos is to flip MFA on for everyone overnight. The calm way is to move in waves, learning and fixing as you go. Start with IT and a small, willing pilot group - the people who will tolerate a hiccup and give useful feedback.

Iron out the wrinkles with that group, then expand department by department, each time with a little notice and a one-page how-to. By the time you reach the least technical staff, your process is polished and your support team has seen every question already. A phased approach turns a daunting all-or-nothing event into a series of small, manageable steps - the same principle we apply to securing remote workers generally.

Bring people with you

MFA fails on people, not technology, so communication is half the job. Staff who understand why are cooperative; staff ambushed by a sudden login change are not. A little context goes a long way.

Tell people what is changing, when, and why - framing it as the company protecting them and the customers, not as a hoop to jump through. Give a simple guide with screenshots for setting up the authenticator app, make clear who to contact if they get stuck, and warn them in advance that the help desk is ready. This sits naturally alongside security awareness training, because a workforce that understands phishing also understands why that second factor matters.

Rollout effort vs accounts protected, by wave
1007550250PrepIT pilotWave 1Wave 2All staffRollout waveRelative levelAccounts protectedSupport effort

Handle the awkward accounts deliberately

Every business has accounts that do not fit the simple 'one person, one phone' model, and these are where unplanned rollouts come unstuck. Tackle them on purpose rather than discovering them mid-rollout.

Shared mailboxes need a clear ownership and access model. Staff without smartphones can use a small hardware key or a dedicated device. The accounts that applications use to talk to each other should not use interactive MFA at all - they need a different, controlled approach. And privileged administrator accounts deserve the strongest protection of all, since they are the crown jewels. Getting these right at scale is core to identity and access management, and worth a conversation if your estate is complex.

Make it permanent and build on it

Once MFA is on, a few finishing touches keep it effective and pave the way for what comes next. Enforce it so it cannot quietly be turned off, confirm every account is genuinely covered (the one you forget is the one that gets used), and make MFA setup a standard part of onboarding so it never slips for new starters.

From here, MFA becomes the foundation for stronger things: reducing how often trusted users are prompted without weakening security, and moving towards verifying every access request - the Zero Trust direction. MFA is also a baseline requirement for the UK's Cyber Essentials certification and for most cyber-insurance policies, so doing it well pays off well beyond security itself. If you would rather have it rolled out and managed for you, our cyber security team does exactly that.

Key takeaways
  • MFA stops the biggest cause of breaches - stolen passwords - by requiring a second factor the attacker does not have.
  • Prepare first: inventory accounts, choose an authenticator app, plan edge cases, and decide who handles lockouts.
  • Roll out in waves starting with IT and a willing pilot group, not for everyone at once.
  • Communicate clearly and frame it as protecting staff and customers - MFA fails on people, not technology.
  • Handle shared mailboxes, non-smartphone staff, service accounts and admins deliberately, then enforce it and build onboarding around it.
Frequently asked

FAQs — How to roll out MFA across your business without the chaos

Doing the rollout

Won't MFA constantly annoy staff with login prompts?

Far less than people fear. On trusted devices you can let a sign-in be remembered for a sensible period, so most staff tap their phone occasionally rather than every login. The brief friction is minor next to the protection, and modern app-based MFA is a single tap, not a fiddly code.

What about employees who do not have a smartphone?

They have good options. A small physical security key plugs in or taps to authenticate, or you can issue a simple dedicated device. The key point is to plan for these people before you start, so nobody is left unable to log in on rollout day - the edge cases cause the chaos, and they are all solvable.

Methods and scope

Is a code by text message good enough for MFA?

It is better than nothing, but it is the weakest method - texts can be intercepted or redirected by determined attackers. An authenticator app is free, stronger and barely more effort, so use that as your default and reserve text codes for situations where nothing else will work.

Do we need MFA on every single account, or just email?

Every account that matters. Email first, because it can reset other passwords, but attackers will target any weakly protected app, so cover your file storage, finance system and line-of-business apps too. The account you leave out is precisely the one that gets exploited, so aim for full coverage.

Related

Continue reading

More in How-To

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →