Facepalm Files: Much ado about nothing

The setup

So, there I was… early March 2020. News of COVID-19 had just started to spread, and the execs at my company decided to send everyone to work from home. My team and I had to figure out how to make it happen. Lots of us in the IT space already had the ability to WFH, but it relied heavily on always-on VPN connections secured with hard-token MFA. Pretty standard stuff.

The goal was simple: enable the rest of the company to do what we did in the IT world – VPN in, access their programs, and continue on with their work day. In reality, this was anything BUT simple. We were looking at factors including: VPN capacity (probably close, but we could push it and be fine). Laptops vs. desktops (most people already had laptops, and we had almost enough inventory to replace the few desktops). Monitors and docking station headsets (not a problem, we would take them from the office). Where we got stuck was on hard tokens. We didn’t have nearly enough spares, and ongoing challenges to the supply chain meant no new orders. We had to pivot – FAST. Only three days until 7000+ people had to pack up the office for who knows how long.

The facepalm(ish) moment and the outcome

Our best option was to pivot to Azure/Entra authorization for MFA, enforce the authenticator app usage, and scrap the hard tokens. But in the past, employees had been very resistant to installing anything on their phones for work – or so the legend foretold. We tested in non-production that day, sorted the few bugs, redid the documentation, and took our plan for approval. After some hemming and hawing, the execs reiterated the anticipated resistance but still said “Go.”

And we did. Like the wind. We published docs, sent out guides, set up a help desk queue specifically for it, and started rolling to production. In two days, we pushed a major auth change out to over 14k people (half of whom had never worked from home before), doubled our VPN capacity, and saved $400k on hard token renewals over the next three years.

The lesson learned

To our surprise, not a single person complained about installing an authenticator on their phone. We had a few people who needed hotspots because they didn’t have internet access at home, and a few without a smartphone who still needed a hard token, but pushback was minimal. In fact, less than 1% of users had any difficulty, so basically, it was a non-issue. We looked back at where that legend had originated – and apparently that “sentiment” had been part of corporate lore for almost 10 years, perpetuated by tenured employees, who knew a guy, who knew a guy, whose sister worked there.

The takeaway

As IT professionals, we are often told to not trust our end-users, that they will find new and creative ways to mess up your plans. But most people are well intentioned and, given the right motivation, (in this case, working from home), will always do their part to support the long-term mission.

Moral of the story: Validate concerns with current data, explain the WHY to everyone, and be prepared to handle the one-offs gracefully without derailing the larger effort.

P.S. Every Facepalm Files story has a silver lining—yours could start with a good read. Download Modern Identity Security for Dummies, SailPoint Special Edition!