We’re implementing MFA enforcement across our TC 12.4 lifecycle management workflows to meet new compliance requirements. Looking for real-world experiences on MFA policy design approaches that balance security with usability.
Our challenge is that lifecycle transitions (particularly for regulated products) require strong authentication, but we have diverse user populations - engineers on shop floor tablets, remote suppliers, and executive approvers on mobile devices. We’re evaluating whether to enforce MFA universally or use conditional access based on workflow criticality and user context.
Specifically interested in how others have handled MFA policy design for different lifecycle states, conditional access rules that don’t create friction for routine operations, and audit trail configuration that satisfies regulatory requirements without overwhelming the compliance team with logs. What patterns have worked well in production environments?
We implemented risk-based conditional access rather than universal MFA. Shop floor users doing routine status checks don’t need MFA, but promotion to production lifecycle state requires it. The key is defining clear trigger points in your workflow where data integrity and compliance risk justify the extra authentication step. We use lifecycle state transitions to production, release, and obsolete as MFA triggers.
One approach that’s worked well is MFA step-up authentication. Users log in with basic credentials for general access, but when they attempt a critical lifecycle operation (like final approval for release), the system prompts for MFA at that moment. This reduces friction for daily work while ensuring strong auth where it matters. The IdP session can cache the MFA credential for a short window (15-30 minutes) to avoid repeated prompts during a single approval session.
Conditional access policies should consider user role, network location, and workflow action combined. We exempt internal network users from MFA for read-only operations but require it for any state change. External users always need MFA regardless of operation. Mobile users get push notifications via our IdP (Okta) which has better UX than SMS codes. The audit trail captures the MFA method used, timestamp, and device fingerprint for each lifecycle transition.