Back to BlogCase Study

Case Study: How Acme Corp Reduced Account Takeovers by 99%

October 10, 202512 min read

Jeff Emele

Head of Customer Success

Acme Corporation

Enterprise SaaS Platform

2,500+
Employees
50K+
B2B Customers
$200M
Annual Revenue
Global
Operations

Acme Corporation, a leading B2B SaaS platform serving over 50,000 businesses, faced a growing crisis: account takeover attacks were increasing 300% year-over-year. Here's how they turned things around with AffirmID.

The Challenge

As Acme's platform grew, so did the attention from attackers. Their customer accounts contained sensitive business data—financial records, customer lists, and proprietary information. A successful account takeover could expose not just one business, but their customers too.

Before AffirmID: The Problems

  • 150+ account takeovers per month costing $500K+ annually in support, remediation, and lost customers
  • Credential stuffing attacks hitting their login page 2M+ times per month
  • SMS-based 2FA adoption at only 12%—most users found it too inconvenient
  • Customer trust eroding with two high-profile breaches in the past year

"We knew our SMS-based 2FA wasn't working. Only a fraction of users enabled it, and those who did complained constantly. But we couldn't just remove it—we needed something better."

— David Park, CISO at Acme Corporation

The Solution

Acme evaluated several authentication providers and chose AffirmID for three reasons:

  1. 1
    Push-based authentication

    One-tap approval is faster and easier than typing SMS codes—crucial for user adoption.

  2. 2
    Device attestation

    Requests are verified to come from genuine, uncompromised devices—blocking emulator-based attacks.

  3. 3
    Easy API integration

    Their development team could integrate in days, not months.

The Implementation

Acme rolled out AffirmID in three phases over 90 days:

1

Phase 1: Internal Rollout (Days 1-30)

Started with their 2,500 employees. Required MFA for all internal systems with AffirmID as the primary method. Kept SMS as backup during transition.

Result: 98% employee adoption in 2 weeks
2

Phase 2: Enterprise Customers (Days 31-60)

Rolled out to enterprise tier customers (5,000 accounts). Offered MFA as opt-in with in-app prompts explaining the benefits. Provided dedicated onboarding support.

Result: 78% enterprise adoption within 30 days
3

Phase 3: All Customers (Days 61-90)

Extended to all 50,000+ customers. Made MFA required for admin accounts. Strong encouragement (not requirement) for all users. Progressive prompts based on risk signals.

Result: 67% overall adoption, 95% admin adoption

The Results

The impact was dramatic and immediate:

99%
Reduction in account takeovers
From 150/month to less than 2
67%
MFA adoption rate
Up from 12% with SMS-based 2FA
$450K
Annual cost savings
Support, remediation, and fraud
0
Security incidents post-rollout
12 months and counting

Key Success Factors

Several factors contributed to Acme's successful implementation:

Executive sponsorship

The CEO personally communicated the importance of security, setting the tone from the top.

User-friendly experience

Push notifications were so much easier than SMS codes that users actually wanted to enable MFA.

Progressive rollout

Starting with employees let them learn and refine before customer deployment.

Clear communication

Users understood why MFA mattered and how it protected them.

Dedicated support

AffirmID's team provided hands-on assistance during each rollout phase.

Lessons Learned

Acme's security team shared several lessons from their implementation:

"Don't underestimate the power of a good user experience. Our SMS 2FA adoption was stuck at 12% for years. Within weeks of launching AffirmID, we hit 67%—and that number keeps climbing. Users aren't resistant to security; they're resistant to friction."

— David Park, CISO at Acme Corporation
  • 1.Start with your own team. Internal rollout surfaces issues before customers see them.
  • 2.Make it easy, not mandatory (at first). Encouragement with great UX beats requirements with poor UX.
  • 3.Measure everything. Track adoption, support tickets, and security incidents to show ROI.
  • 4.Communicate the "why." Users are more likely to adopt when they understand the risks.
  • 5.Have a fallback plan. TOTP backup codes ensured no one was locked out during the transition.

What's Next for Acme

Building on their success, Acme is now planning:

  • Requiring MFA for all users (not just admins) in 2026
  • Implementing biometric confirmation for high-value transactions
  • Adding identity verification for account recovery
  • Exploring passwordless authentication with passkeys

Want results like Acme?

Our team can help you plan and execute a successful MFA rollout. Get in touch for a personalized assessment.

Contact our team →

Related Articles

Business

Building a Culture of Security

Practical tips for implementing strong authentication

Security

Push vs SMS Authentication

Why push offers better security and UX