← Back to Resources Hub

How I got a 40-person nonprofit to actually adopt MFA without a revolt

Multi-factor authentication is the single highest-value security control most organizations can turn on. It is also the one that triggers the most staff pushback. Here is how I rolled it out to 40 people in three weeks with no revolt.

What most teams get wrong

They flip MFA on for everyone overnight with an email nobody reads. Day one becomes a help-desk fire, staff associate security with friction, and resistance hardens.

The phased approach that worked

  • Week 1: IT and leadership only, so we hit the snags ourselves first and could speak from experience
  • A 10-minute walkthrough with screenshots, not a wall of text, sent before anyone was required to enroll
  • Week 2: department by department, with a real person available during enrollment
  • An app-based approve prompt instead of typing codes, far less friction than people expect

The result

Full adoption in three weeks, and crucially, staff understood why. When you explain the risk in plain terms and remove the friction, people cooperate.

Security adoption is change management, not a technical task. Treat it that way and the technology is the easy part.

More in Security and Scams

The five phishing patterns every small business will see this quarter