Product design
Enforcing Multi-Factor Authentication (MFA)
COMPANY
Strange Bee
YEAR
2025
TheHive is a cybersecurity platform that helps organizations investigate, manage, and respond to security incidents at scale. Used by large organizations where security policies are strict and non-negotiable.
Timeline
Over 4 weeks, a feature squad (PM, product designer, frontend, backend, QA) led the discovery, design, and build of the MFA enforcement feature
Background
As TheHive expanded within large and regulated organizations, administrators increasingly raised concerns about MFA adoption. Although they could monitor whether users had enabled MFA, they had no way to enforce it. This lack of control exposed organizations to security risks and placed admins in a position where they were accountable for compliance without having the necessary tools to guarantee it.
I played an active role in every phase, ensuring an optimal user experience at every stage.
User research & scoping
I conducted interviews with internal stakeholders and enterprise clients to understand how MFA was currently managed and perceived. Admins emphasized the need for enforcement aligned with internal security policies, while users expressed concerns about interruptions and setup complexity. This research helped clarify user needs and define the scope of a solution that would strengthen security without damaging trust or usability.
Problem framing
The challenge was not introducing MFA, but deciding how it should become mandatory. A strict, immediate enforcement risked blocking users and generating support issues, while keeping MFA optional undermined security objectives. The problem therefore became how to design an enforcement mechanism that felt progressive, understandable, and acceptable for both admins and users.
Exploration & ideation
Several options were explored, including hard blocking at login, reminder-based strategies, and guided onboarding flows. Early exploration showed that purely restrictive approaches created frustration and resistance. Progressive enforcement, combined with clear guidance and visibility, emerged as the most viable direction to support adoption at scale.
Introducing progressive, admin-driven MFA enforcement.
The final solution allows administrators to enforce MFA at the organizational level while offering users a guided activation experience. When enforcement is enabled, users are redirected to a dedicated MFA setup screen during login, where they can configure their preferred authentication method. A temporary skip option with a visible countdown ensures critical tasks can still be completed before MFA becomes fully mandatory.
Improving security without compromising usability.
This approach restored alignment between security responsibility and control for administrators while maintaining a clear and respectful experience for users. MFA adoption increased of 30% the first month, compliance expectations were met more consistently, and the risk of user frustration or support overload was reduced. The project highlighted the importance of progressive enforcement and clear communication when designing security-critical features.