I know this is going to start a flame war, but I'd like to talk about an actual instance where MFA itself caused availability issues. There are *still* no TCO studies on the full costs of MFA deployments. This doesn't mean MFA is bad, just that we don't fully understand costs.1/n

We know very well what it costs to deploy (@RenditionSec is a @duosec partner). We absolutely love how easy it is to incorporate Duo MFA into practically any product. But I changed my cell phone last week. We now needed to track down an additional admin to assist me. 2/n

In the meantime, I was able to keep working standalone, but not access enterprise systems. Since I was physically in the office, I just turned to an employee and asked them to submit appropriate tickets for me (did I mention the ticketing system uses MFA?). 3/n

All in all the issue was resolved within a few hours (primary admin was out sick, backup admin on vacation, backup to the backup knows how to do enrollment but not device replacement). But I'm a tech savvy user and simply forgot that changing phones wouldn't be plug and play. 4/n

I've seen this same sort of scenario play out time and time again in businesses we consult with. Often, the business impact is substantial. When clients ask us if MFA is worth it, we say *absolutely*. But when they ask if it will impact productivity, the response is identical 5/n

It's worth noting that emergency room physicians still argue with me about password protecting EHR systems (containing PHI) for fear of availability issues. "Have you ever tried to type a complex 12 character password in gloves?" MFA is just an extension of that concern. 6/n

To be clear, this isn't a question of which MFA provider to use. It's about setting realistic expectations for enterprises adopting MFA. We shouldn't shy away from the truth that MFA will have both positive and negative impacts (just like passwords). 7/n

I truly believe the reason most system integrators aren't 100% transparent with businesses is that we don't know the negative numbers. It's hard to be transparent when doing so invites questions we don't have the answer for. 8/n

Heck, we don't even know the positive numbers. Just because a breach happened and MFA wasn't deployed, it doesn't necessarily mean MFA would have prevented the breach. Anyone who has taken a freshman Introduction to Logic class can tell you that. 9/n

TL;DR I love MFA. I recommend it to all @RenditionSec clients. I absolutely hate that I don't have data to answer their questions and for the life of me I don't understand why MFA vendors aren't collecting it.

Or maybe they are and the numbers are too bad to share? Meh. /FIN