TL;DR: A global real estate company moved from email and SMS one-time codes to broader MFA options, including passkeys and biometrics, across Azure AD B2C for employees in three regions, completing rollout in two months with no reported issues, according to Authsignal. The real lesson is that step-up authentication only works when policy, user experience, and regional governance are designed together, not bolted on after authentication gaps appear.
At a glance
What this is: This is a case study on modernising employee MFA in Azure AD B2C, with the main finding that broader authentication options and policy controls enabled a three-region rollout in two months.
Why it matters: It matters because IAM teams still treating MFA as a single-factor replacement miss the governance work involved in regional policy design, recovery paths, and admin delegation across human identity programmes.
👉 Read Authsignal's case study on strengthening MFA across Azure AD B2C
Context
Basic MFA is not enough when employees access both internal and third-party platforms across multiple regions. In this case, the problem was not authentication in the abstract. It was the gap between a legacy email and SMS one-time passcode model and the organisation's need for stronger, more granular, and region-aware access controls in Azure AD B2C.
The governance issue is familiar to IAM teams: once authentication becomes policy-driven, the programme has to account for user experience, rollout sequencing, support burden, and conditional enforcement. That makes the topic relevant to human identity and access management, not just to a single product deployment.
Key questions
Q: How should organisations modernise MFA without disrupting employee access?
A: Start with the highest-risk sign-in paths, then introduce stronger authenticators alongside a phased rollout and clear recovery routes. Keep legacy methods only where business continuity requires them, and use policy-based enforcement to avoid forcing all users through the same change at once. The goal is controlled migration, not a hard cutover that creates support bottlenecks.
Q: Why do SMS and email one-time passcodes create governance risk?
A: They create governance risk because they are easy to over-depend on, even when stronger options are available. In practice, they can be difficult to govern consistently across regions, devices, and recovery scenarios. They also make it harder to enforce risk-based step-up policies, which means the organisation may believe it has MFA coverage when control quality is still uneven.
Q: How do security teams know if MFA policy changes are working?
A: Look for reduced reliance on legacy OTP methods, stable sign-in success rates, low help desk escalation, and few override requests. If users bypass the new flow, fail recovery, or create repeated exceptions, the control may exist on paper but not in practice. Good MFA governance shows up as consistent adoption and manageable operational load.
Q: Who should approve changes to authentication rules in Azure AD B2C?
A: Authentication rule changes should be approved by the identity or security owner with operational input from application and regional stakeholders. Business administrators can manage day-to-day policy updates if delegated carefully, but sensitive changes need review, logging, and a clear rollback path. Without that separation, convenience can become unaudited access drift.
Technical breakdown
Why email and SMS OTP no longer carry the MFA burden
Email and SMS one-time passcodes remain widely used, but they are weak as a primary second factor because they depend on channels that can be intercepted, redirected, or socially engineered. In a modern IAM stack, MFA should support stronger authenticators such as passkeys and biometric verification, while also allowing policy-based step-up when risk changes. The real architectural issue is not just factor strength. It is whether the organisation can vary authentication requirements by context without breaking access to the applications people actually use.
Practical implication: treat SMS and email OTP as transitional controls, not a durable MFA target state.
How no-code rules engines change authentication governance
A rules engine turns MFA from a static on or off decision into a policy layer that can react to user location, unusual travel, login country, or session context. That matters because authentication governance is as much about who can change policy as it is about which factor is required. If non-technical administrators can manage periodic MFA rules, the organisation reduces dependency on engineering, but it also needs tight delegation, review, and change control. Otherwise, the same flexibility that speeds rollout can create policy drift.
Practical implication: define clear ownership and change approval for authentication rules before handing policy control to business administrators.
What phased deployment reduces in multi-region identity rollouts
A phased rollout limits disruption by sequencing regions, testing policy combinations, and validating that authentication journeys still work across real employee workflows. This is especially important in federated identity environments such as Azure AD B2C, where step-up logic, recovery paths, and platform integration all interact. Phasing is not just an implementation convenience. It is a governance control that surfaces support issues, policy conflicts, and regional exceptions before they become enterprise-wide failures.
Practical implication: use staged rollout gates and scenario testing to catch policy and recovery failures before broad deployment.
NHI Mgmt Group analysis
Modern MFA is now an authentication governance problem, not a factor-selection problem. The article shows that the organisation needed stronger methods, more granular triggers, and a migration path that would not disrupt daily access. That combination matters because human IAM programmes fail when they optimise for factor strength alone and ignore policy operability, rollout sequencing, and support impact. Practitioners should treat MFA modernisation as a control design exercise, not a feature swap.
Granular step-up policy is the real control surface in distributed identity environments. Country-based login blocking, impossible travel logic, and periodic MFA requirements all point to the same conclusion: authentication has become contextual governance. When employees span Australia, New Zealand, and South Africa, static policies create avoidable friction or blind spots. The practitioner takeaway is that identity teams need policy precision, not just stronger authenticators.
User experience is part of the security control, not a separate concern. The rollout succeeded because the migration path avoided disruption and employees adapted quickly. That is not a soft outcome. In human identity programmes, poor authentication experience drives workarounds, help desk load, and exception requests, which in turn weaken control integrity. Security teams should measure whether authentication change increases friction enough to erode adherence.
Strong MFA becomes more governable when non-technical admins can manage policy safely. Delegating policy updates away from engineering can speed operations, but only if the identity programme defines boundaries, approvals, and auditability. The field-wide implication is that modern IAM is moving toward operationally distributed policy ownership. Practitioners should separate who can define authentication rules from who can approve and review them.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, which is one reason policy intent and operational reality diverge.
- For a broader view of identity lifecycle governance, see Ultimate Guide to NHIs , The NHI Market for how access control choices ripple across identity programmes.
What this signals
Granular authentication policy is becoming a governance requirement, not an optimisation. As organisations expand across regions and platforms, they need controls that adapt without creating support chaos. For IAM teams, that means authentication policy now sits alongside lifecycle and privilege governance as a programme-level control plane, not a login-page feature.
The operational signal is clear: if identity teams cannot stage policy changes, delegate safely, and measure recovery outcomes, stronger MFA methods will not translate into stronger control. The next maturity step is not just adopting passkeys or biometrics, but proving that policy changes can be managed without ad hoc exceptions.
For practitioners
- Inventory where legacy OTP still carries MFA risk Identify Azure AD B2C or equivalent journeys that still rely on email and SMS codes, then rank them by user exposure, application sensitivity, and recovery dependency.
- Define policy ownership for step-up authentication Separate policy authorship, approval, and emergency override rights for location-based blocking, periodic prompts, and risk-triggered MFA so that no single administrator can silently change access behaviour.
- Pilot stronger authenticators before enterprise-wide enforcement Test passkeys, biometrics, and other stronger factors in one region or business unit first, then validate recovery, help desk load, and user completion rates before expanding.
- Treat migration as a user journey programme Measure enrolment completion, sign-in failure patterns, and exception requests during rollout so you can see whether the new control is being adopted or worked around.
Key takeaways
- The article shows that MFA modernisation is really about governing policy, rollout, and user adoption together.
- Legacy email and SMS OTP may extend coverage, but they do not solve the underlying need for context-aware authentication control.
- Practitioners should judge MFA change by adoption, exceptions, and recovery performance, not by whether a stronger factor was merely enabled.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article is about authenticator strength and MFA modernisation for human users. |
| NIST CSF 2.0 | PR.AC-7 | Context-aware authentication and verification are central to this rollout. |
| NIST Zero Trust (SP 800-207) | The case uses conditional access and step-up behaviour consistent with zero trust. | |
| NIST SP 800-53 Rev 5 | IA-2 | The deployment strengthens authentication for access to internal and third-party platforms. |
Review IA-2 coverage for all employee sign-ins and ensure stronger authenticators are required where risk is higher.
Key terms
- Phishing-resistant MFA: Multi-factor authentication that resists interception and replay better than shared-code methods such as SMS or email OTP. In practice, this usually means authenticators like passkeys or hardware-backed methods that bind the login to the correct device and session context.
- Step-up authentication: A policy pattern that requires stronger verification only when risk or context changes. It helps balance usability and security, but it only works when the organisation can define clear triggers, manage exceptions, and maintain recovery paths for legitimate users.
- Authentication policy governance: The control layer that decides when, where, and how authentication rules are enforced. It covers ownership, approvals, logging, delegation, and review, which are essential when different regions or applications need different access requirements.
What's in the full article
Authsignal's full case study covers the operational detail this post intentionally leaves for the source:
- The rollout sequence across South Africa, New Zealand, and Australia, including how each phase was validated before go-live
- The specific authentication methods added beyond SMS and email, including passkeys, biometrics, and WhatsApp one-time codes
- How the no-code rules engine was configured for periodic MFA requirements, impossible travel detection, and country-based blocking
- The commercial and implementation considerations that shaped the vendor evaluation and deployment timeline
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-04-14.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org