Achieved 100% MFA adoption with zero friction increase (protecting ARR at risk from security-driven churn) while maintaining authentication success rates at or above pre-MFA baselines.
100%
MFA adoption, zero friction increase
The platform required stronger security controls, but MFA implementations typically introduce friction that increases login failures, spikes support volume, and drives user resistance. The risk was real: force adoption too fast and you break the experience; move too slowly and you leave the platform exposed.
Security mandates rarely account for user behavior. The standard playbook for MFA rollout -- enable it, send a notification, wait for adoption -- consistently produces the same outcomes: a spike in failed logins, a surge in support tickets, and a cohort of users who find workarounds or abandon the platform entirely.
The challenge at iPROMOTEu was compounded by the platform's user base: promotional products affiliates who ranged from tech-savvy operators to small business owners with limited tolerance for authentication friction. A one-size-fits-all MFA implementation would have created disproportionate disruption for the users least equipped to navigate it.
My strategic insight was to treat MFA adoption as a product problem, not a security problem. The question wasn't "how do we enforce MFA?" -- it was "how do we design an MFA experience that users adopt without resistance?" That reframe changed everything: the focus shifted from compliance enforcement to experience design, and the outcome was a rollout that achieved full adoption without the support spike or login failure increase that typically accompanies it.
The unified identity layer I built in the previous initiative was the enabling infrastructure. Because authentication state was now centralized and real-time, device recognition could be implemented reliably -- trusted devices could be recognized and exempted from repeated challenges, which eliminated the most common friction point in ongoing MFA usage.
An end-to-end MFA strategy that embedded verification into onboarding and login flows in a way that felt native, not bolted on. Flexible verification methods, device recognition to reduce repeated challenges, and clear recovery flows ensured security without degrading usability.
I led MFA strategy across Product, Engineering, and Security with a phased rollout plan that prioritized experience before enforcement
I implemented flexible verification methods (email, SMS) to reduce friction at setup and accommodate diverse user preferences
I introduced device recognition to minimize repeated challenges for trusted devices -- the primary source of ongoing MFA friction
Embedded MFA into onboarding so new users adopted it as part of the default experience, not as a retroactive requirement
Continuously monitored authentication success rates and optimized flows post-launch to maintain baseline performance
100% MFA adoption across the user base. Authentication success rates maintained at or above pre-MFA baselines. No meaningful increase in support volume. Platform security significantly improved without degrading user experience.
Security and usability are usually framed as a tradeoff. This rollout proved they don't have to be -- when you design the adoption experience as carefully as the security model itself. The lesson generalizes: any compliance or security requirement can be implemented without friction if the product team treats adoption as a design problem.
The security mandate would have been implemented as a blunt enforcement -- high friction, high abandonment, high support volume.
A cohort of low-tech affiliates would have been effectively locked out of the platform during the rollout window.
The platform would have remained exposed to credential-based attacks while the organization debated how to roll out MFA without breaking the experience.
The key was sequencing: build the identity layer first (so device recognition works reliably), then design the adoption experience (so users encounter MFA as a natural part of onboarding), then enforce it (so the transition is invisible). Most MFA rollouts fail because they start at step three.
"I treated MFA adoption as a product problem, not a security enforcement problem"
"Device recognition was the key -- users who don't get re-challenged on trusted devices don't resist MFA"
"I embedded it into onboarding so new users never knew a world without it"
What the data says
“72% of users abandon apps during onboarding if it requires too many steps.”
MFA adds a step. The design challenge is ensuring that step doesn't cross the abandonment threshold. Device recognition and contextual exemptions are the primary mechanisms for keeping the step count below the friction ceiling.
Source“Products that deliver a 'quick win' during onboarding retain 80% more users.”
Embedding MFA into onboarding as a security 'quick win' -- framing it as protecting the user's account -- converts a compliance requirement into a positive first impression.
SourceWhite Paper Thread: The Decision Layer
MFA rollout is a microcosm of the broader white paper argument: that system design determines adoption outcomes. The rollout succeeded because the decision layer (identity system) was built first, enabling the experience layer (device recognition, contextual exemption) to make the right decisions automatically. Security without friction is a systems design achievement, not a security achievement.
Read the White Paper →Connective Tissue
The unified identity layer was the prerequisite infrastructure. Device recognition -- the key to frictionless MFA -- only works reliably when authentication state is centralized and real-time.
Read case study
Both cases demonstrate that compliance requirements (MFA, KYC) can be implemented without friction when they are designed as system states rather than user-facing interruptions.
Read case study
The Operating System
ibuildsystems.io
Four frameworks. One repeatable system. Applied across banking, fintech, government, and B2B SaaS to turn broken workflows into scalable revenue engines.