Deploying Akamai MFA at Scale: 6 Lessons Learned
This past October, I blogged about why we were switching from Akamai’s legacy multi-factor authentication (MFA) solution to Akamai MFA, and how it’s part of our Zero Trust security model. At that time we’d just completed an 850-user pilot.
I’m happy to report that, as of March 2022, our entire 9,000-person organization logs in using Akamai MFA for phish-proof authentication. The transition went very smoothly thanks to key decisions that we made along the way. I’ll share the 6 lessons we learned to help you plan your own rollout.
1. Form a cross-functional team
Our first step was to form a transition team. We included a representative from every organization with a hand in the rollout: back-end engineering, change management, and end-user support. We also invited the Akamai MFA product manager, who took our ideas for product enhancements back to his team. We then met weekly to discuss progress, issues, and ideas for improving the process for the next wave of users.
2. Add users in phases
Back in 2017, we deployed the third-party product that Akamai MFA replaced. From that earlier experience, we knew that we wanted to roll out Akamai MFA in phases, not for everyone at once. A few glitches are inevitable in any large-scale technology rollout, and a phased deployment would give us a chance to fix issues when they affected fewer users. An example might be compatibility with a new Android phone model.
We started with a four-wave pilot for our IT users, two weeks for each wave. After that, we deployed in five larger waves with up to 4,000 users apiece.
Tom Bogacz, our director of change management, tells me, “Starting with IT is a good idea because they give candid feedback on what works and where there’s room for improvement.” As we moved on to other organizations, we onboarded executives first so that they could reassure their teams that Akamai MFA is simple to enroll in and easy to use.
3. Add applications in groups
During our 850-user pilot, we introduced Akamai MFA for the single sign-on (SSO) system for targeted web applications. Meaning, we did not switch to Akamai MFA enforcement to all the SSO-protected applications, but started with our simpler web-based applications before moving on to our more complicated desktop applications.
I asked Prasanna Greampet, our senior engineer for identity and access management services, for the reasoning. He said, “We went in assuming that a handful of our desktop applications needed minor code changes to work with Akamai MFA, and this way we could spread out the effort.
“All of our browser-based applications worked right away. For the few desktop applications that didn’t, the fix was delivered by the product team. Post rollout of Akamai MFA service level fixes and all SSO applications were added for Akamai MFA enforcement and they all started working as expected.”
4. Communicate often
Our Solution Center sent out regular communications before and during the transition to Akamai MFA. We made it a point to keep enrollment instructions simple, as I described in my earlier blog. We also published a FAQ on our internal website, updating it as we received new questions.
Our workforce was already comfortable with MFA because we had been using a third-party solution for a few years. But even small changes can give people butterflies, so we provided users with plenty of advanced notice about the switch to Akamai MFA and invited them to ask questions.
We scheduled optional lunch-and-learn sessions that included a fun presentation on MFA, and also took the opportunity to remind people about good security practices that were beneficial to both Akamai and their personal lives, such as not using the same password for multiple sites and using a password manager.
How important were communications in the success of our rollout? I checked in with Jody Shafer, our manager of identity and access management, who told me, “Giving people the opportunity to express their concerns and feel like they were part of the process was key to getting buy-in. I’d advise other companies to not skip this step.”
5. Respect users’ schedules by giving them time to enroll
In some organizations, it may be okay to say, “We’re switching to a new authentication system next Monday.” But our culture at Akamai is to give people more flexibility. If someone was racing against a project deadline, for example, we didn’t want to force them to enroll on a certain day.
We decided to give people in each group two weeks to enroll, making it clear that if they hadn’t done it by the end of the period, they’d be automatically enrolled. The people who didn’t enroll themselves didn’t object when we moved them over, because we’d set this expectation.
Each day, we moved over the people who had enrolled the previous day. That gave us a chance to spot and fix any issues instead of waiting until the end of the two-week wave. And if a holiday fell in the middle of the enrollment period, we sometimes extended the deadline for a week.
I realize that some organizations might need to enroll the entire workforce at once. That’s an option, but if you have the flexibility to do it in phases, enrolling in waves is a good idea.
6. Get support processes ready ahead of time
We created support documents and processes for the Solution Center before we started the transition to Akamai MFA. We explained the technology to our support teams, and came up with questions we thought employees would ask. We also created a Webex space where they could ask questions as they came up.
Enhancing our Zero Trust security architecture
I’m pleased to say that our transition to Akamai MFA was very well received by executives and the workforce. Our security posture is stronger with phish-proof authentication that has enhanced our Zero Trust security architecture. Employees like the convenience of using their phone in place of a hardware token. And we did it without disrupting anybody’s usual workday processes: a success by all counts.
Reach out
Ready to learn more about Akamai MFA or take a free 60–day test run? Sign up here to see what the world’s largest edge platform can do for you.
