Tools/MFA Readiness Checker

MFA Readiness Assessment

Evaluate your organization's readiness for multi-factor authentication deployment

1
Current State
2
Infrastructure
3
Organizational

Section 1: Current State

How many users need MFA protection?

Under 50 users
50–200 users
200–1,000 users
Over 1,000 users

What is your primary authentication method today?

Passwords only
Passwords + SSO for some apps
SSO with partial MFA enforcement
SSO with full MFA (expanding coverage)

Which identity provider (IdP) are you using?

None — local accounts only
Active Directory (on-premises)
Azure AD / Entra ID
Okta, OneLogin, or similar cloud IdP

What types of resources do users access?

Web applications only
Web apps + SSH/terminal access
Web apps + SSH + databases
Web, SSH, RDP, databases, VPN — everything

Section 2: Infrastructure

Do your applications support SAML or OIDC authentication?

No — most use local authentication
Some apps support SAML/OIDC
Most apps support SAML/OIDC
All apps federated via SAML/OIDC

What percentage of apps are behind SSO today?

Less than 25%
25–50%
50–75%
Over 75%

Do you have a device management or MDM solution?

No device management
Partial — company devices only
Full MDM coverage (Intune, Jamf, etc.)

How is remote/VPN access currently handled?

Direct access — no VPN
VPN with password only
VPN with MFA
Zero Trust / ZTNA solution

Section 3: Organizational

What is your approximate security tooling budget?

Minimal — prefer free/open-source
Moderate — can invest in key tools
Strong — security is a priority investment

How tech-savvy are your end users?

Low — non-technical workforce, need simplicity
Mixed — some technical, some not
High — mostly developers/engineers

Which compliance requirements apply to your organization?

None specific — general best practices
SOC 2 or ISO 27001
HIPAA or PCI DSS
Multiple frameworks (SOC 2 + HIPAA + PCI, etc.)

What is your target rollout timeline?

ASAP — responding to an incident or audit
1–3 months
3–6 months
6+ months (planning phase)

Assessment Results

0
Calculating…

Recommended MFA Methods (ranked)

    Suggested Rollout Timeline

    Potential Challenges & Mitigations

    Deploy MFA across every protocol in minutes

    OnePAM handles MFA enforcement across all protocols — SSH, RDP, databases, and web apps. No agent changes, no PAM configuration.

    Start Free Trial

    Frequently Asked Questions

    Common questions about MFA deployment and readiness

    What is MFA and why is it critical for security?

    Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access a resource. These factors are: something you know (password), something you have (phone, hardware key), and something you are (biometrics). MFA blocks 99.9% of automated attacks according to Microsoft research, making it the single most impactful security control you can deploy.

    Which MFA method is most secure — TOTP, push, or hardware keys?

    Hardware security keys (FIDO2/WebAuthn) are the most phishing-resistant MFA method — they cryptographically verify the site's identity, preventing real-time phishing attacks. Push notifications are convenient but vulnerable to "MFA fatigue" attacks. TOTP is a solid middle ground: widely supported, no network dependency, and free to implement. SMS-based MFA is the weakest and should be avoided due to SIM-swapping risks.

    How do I enforce MFA for SSH and database access?

    Traditional approaches require configuring PAM modules on each server (pam_google_authenticator for TOTP, pam_duo for Duo) and modifying sshd_config. This is operationally complex at scale. Database MFA typically requires a proxy layer since most database protocols don't natively support MFA. Solutions like OnePAM act as an identity-aware proxy that enforces MFA across SSH, RDP, databases, and web apps from a single policy, without per-server configuration.

    What compliance frameworks require MFA?

    Most modern compliance frameworks require or strongly recommend MFA. PCI DSS v4.0 mandates MFA for all access to the cardholder data environment. HIPAA requires MFA as an addressable safeguard for ePHI access. SOC 2 Trust Service Criteria expect MFA as part of logical access controls. NIST 800-63B requires MFA at Authentication Assurance Level 2 (AAL2) and above. Cyber insurance providers increasingly require MFA for policy eligibility.

    How do I handle MFA for users who resist the change?

    User resistance is the #1 challenge in MFA rollouts. Mitigate it with: (1) Start with a pilot group of security-conscious users to validate the experience. (2) Provide clear communication about why MFA matters — use real breach examples. (3) Offer multiple MFA methods so users can choose what works best. (4) Use a grace period with reminders before enforcement. (5) Ensure leadership visibly uses MFA first. (6) Have IT support ready for enrollment issues during the first week.