Notifications
Clear all
Topic starter
25/06/2026 5:11 pm
TL;DR: A rapid remote-work pivot forced IT teams to replace hard-token MFA with authenticator-app authorization, expand VPN capacity, and support more than 14,000 users, with less than 1% experiencing difficulty, according to SailPoint. The case shows how identity programmes can move faster when assumptions about user resistance are tested against current data rather than corporate lore.
NHIMG editorial — based on content published by SailPoint: Blog Facepalm Files, Much ado about nothing
By the numbers:
- In two days, the team pushed a major auth change out to over 14k people and saved $400k on hard token renewals over the next three years.
- 1% of users had any difficulty with the, y with the new authenticator app rollout.
Questions worth separating out
Q: How should security teams validate user resistance before changing MFA methods?
A: Security teams should validate user resistance with current pilot data, help desk trends, and enrolment completion rates rather than rely on old stories or anecdotal objections.
Q: Why do hard-token MFA programmes become fragile during rapid workforce changes?
A: Hard-token programmes become fragile because they depend on physical inventory, replacement logistics, and distribution timelines.
Q: What do organisations get wrong about MFA migration resistance?
A: Organisations often mistake long-standing internal lore for current user behaviour.
Practitioner guidance
- Revalidate behavioural assumptions before changing controls. Replace inherited claims about user resistance with current evidence from pilot groups, help desk tickets, and enrolment completion rates.
- Design the exception path before the migration starts. Map non-standard cases such as users without smartphones, users without home internet, and users who still require a hard token.
- Treat MFA factor changes as continuity planning. Assess whether your current authentication model can survive supply chain disruption, device shortages, or sudden remote-work expansion.
What's in the full article
SailPoint's full blog post covers the operational detail this post intentionally leaves for the source:
- The day-by-day account of how the team reworked the MFA rollout under a three-day deadline
- The practical documentation and help desk setup used to support 14,000-plus employees
- The internal decision process that led to replacing hard tokens with authenticator app authorization
- The author’s own lesson on validating assumptions before blocking a security change
👉 Read SailPoint's account of the remote-work MFA transition →
Hard-token MFA replacement for remote work: what teams learned?
Explore further
25/06/2026 5:44 pm
Legacy beliefs about user resistance are a governance risk, not a people problem. The article shows that a long-held internal story about employees refusing authenticator apps did not survive contact with current conditions. That matters because identity programmes often defer change on the basis of assumptions that were never re-tested. Practitioners should treat stale behavioural beliefs as control debt, not as evidence.
A few things that frame the scale:
- From our research: 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Our research also shows that only 20% have formal processes for offboarding and revoking API keys, which helps explain why control changes often fail after the first approval step.
A question worth separating out:
Q: Who should be accountable when a large authentication change affects thousands of users?
A: Accountability should sit with the identity programme owner, the operational support team, and the business approver who accepted the migration risk. Large authentication changes need clear ownership for enrolment, exceptions, communications, and recovery. Without that, a control change becomes a support incident instead of a managed transition.
👉 Read our full editorial: VPN hard tokens gave way to app-based MFA in a remote work pivot
