Lessons Learnt from a 2FA roll out within a higher education organisation

Abstract: Rolling out a new security mechanism in an organisation requires planning, good communication, adoption from users, iterations of reflection on the challenges experienced and how they were overcome. Our case study elicited users' perceptions to reflect on the adoption and usage of the two factor authentication (2FA) mechanism being rolled out within our higher education organisation. This was achieved using a mixed method research approach. Our qualitative analysis, using content and thematic coding, revealed that initially SMS was the most popular 'second factor' and the main usability issue with 2FA was the getting the authenticator app to work; this result was unexpected by the IT team and led to a change in how the technology was subsequently rolled out to make the authenticator app the default primary second factor. Several lessons were learnt about the information users needed; this included how to use the technology in different scenarios and also a wider appreciation of why the technology was beneficial to a user and the organisation. The case study also highlighted a positive impact on the security posture of the organisation which was measure using IT service request metrics.