...
- What use cases drove the decision to adopt MFA for authentication?
- What are the costs, both one-time and ongoing?
- What cost/benefit/risk analysis was done to justify the use of MFA for those use cases?
- Risk assessment – what functions/activities do various institutions believe require MFA?
- What MFA technologies/approaches mesh most easily with which Single-Signon frameworks and/or services and applications?
- Which MFA technologies are being deployed and used by institutions for which applications/environments/use cases?
- The same question, but the other side of it – which combinations have caused difficulties, and if those were overcome, how and at what cost?
- Were any new roles (or modification of current roles) determined to be needed?
- What special training is required? What audiences did/are you training, and how often?
- Samples/examples of any and all of the following kinds of documents and artifacts related to MFA:
- use cases
- requirements
- RFP/specifications document
- risk/cost analysis
- cost analysis for full lifecycle of support of MFA, including any comparison analysis of various MFA technologies
- technology choice(s), system architecture
- project charter, project plan, Work Breakdown Structure
- policy & procedure for
- token request (or registration) process
- replacing tokens
- recovery of tokens when no longer needed
- roles & process document
- support process document
- documentation of roles
- user documentation
- training materials
- support materials – FAQs, KnowledgeBase articles, web pages, etc.
- public awareness efforts, press releases, campaigns, advertising
- Costs
- Initial costs to implement (with whatever breakdown is available)
- Ongoing licensing/maintenance costs
- Ongoing user support costs
- Service Level Agreement(s)
- Other costs?
- What are the most frequent questions/problems encountered? And how were/are they solved?
- What are the approaches to the distribution/delivery of token/extra factor devices?
- Where/when in the on boarding/IdM workflow does MFA device registration/issuance occur?
- What are the best practices for supporting the users and the MFA deployment and operation?
- Are you happy with your MFA choice(s)? If you had it do to over again, would you use the same technology? If not, why not?
- What do you know now that you wish you knew before you started?
- What did you worry about that turned out not to actually be a problem/concern?
- Business policies, procedures, processes that support request, initial deployment, maintenance, infrastructure, and replacement of the tokens
- what happens when a token breaks?
- what happens when I forget it at home?
- what about replacing lost tokens?
- How long did training take?
- Which units/roles did you have involved in your MFA deployment project, and at what points in the project timeline? How about for ongoing operations and support?
- What was your timeline – how long from "start to finish" (project initiation to pilot/production operational status)?
- What did you underestimate? What did you overestimate? What did you forget to estimate at all?