Secure Doesn't Have to Mean Inaccessible

A federal client faced a critical inflection point: MFA had been mandated for business users, resulting in a 33% drop-off. With a consumer-facing portal serving over 205 million users annually, including older adults, rural users, non-citizens, and justice-involved individuals, a poorly executed rollout carried significant civil access risk.

I was brought in to shape the research agenda before the policy was extended to the public. The stakes were high: get this wrong and millions of people lose access to services they depend on.

Rather than scoping this as a usability study, I framed it as a risk assessment and equity audit. I designed a mixed-method study (n=39) that deliberately over-recruited vulnerable populations, because standard usability testing would smooth over the exact friction we needed to find.

Participant Populations

• General Portal Population
• Older Americans
• Rural and/or low-bandwidth users
• Portal Non-citizens
• Business Contacts
• Users with Assistive Devices
• Justice-Involved Individuals

1:1 User Interviews

User interviews provide deep insights into how people perceive and interact with MFA, uncovering real-world barriers that may not surface in surveys or data analytics. They offer contextual understanding of user frustrations, troubleshooting behaviors, and accessibility challenges, especially for vulnerable populations.

Focus Groups

When speaking to vulnerable and traumatized populations, focus groups help provide a support system for interviewees. This format creates an environment that encourages equity in the voices heard, and gives direct feedback to ensure MFA solutions are equitable for a more traumatized population.

This wasn't default methodology, it was a deliberate design choice to ensure equitable voice in the data.

What Business Users Experience

• 1 in 3 mandatory users abandoned the portal after MFA implementation due to confusion and frustration
• One user paid $20 for an invalid authenticator app
• Customer service spent 5+ hours unsuccessfully helping a single user navigate MFA setup

Current MFA selection interface

What the Public Expects from MFA

• Users find MFA annoying but accept it for the added security
• Strong preference for text-based MFA, but users expect multiple options
• MFA creates access barriers for vulnerable populations
• Clear instructions and user-friendly design significantly improve adoption

The findings reframed the entire program roadmap. I presented evidence to the client that led to three concrete organizational decisions:

Suggested Next Steps

• Pause on implementing MFA for public consumers
• Begin the process of MFA redesign and user testing for both business-facing and public-facing interfaces
• Launch new MFA for both user groups only after testing

As agencies work to strengthen cybersecurity, it's clear that security measures like MFA must be designed with people, not just policy, in mind. This research shows that while users understand and even value MFA, their experience depends entirely on how intuitive, inclusive, and flexible the process is.

By offering multiple authentication options, prioritizing usability, and designing for the most vulnerable users, we can protect sensitive data without locking anyone out. A secure system is only successful if everyone can use it, and that's where great design meets real impact.

This project demonstrated that a well-scoped research agenda can protect both users and organizational risk, and that sometimes the most strategic recommendation is the one that tells a client to stop.