Brainforge Knowledge

SOW_CTA_OKTA_Authentication_Optimization

10 min read

CTA OKTA Authentication Optimization — Statement of Work

Date: December 15, 2025
Client: Consumer Technology Association (CTA)
Author: Brainforge AI

1. Overview

This Statement of Work defines Brainforge’s engagement to assess, optimize, and potentially redesign CTA’s authentication infrastructure centered around Okta. The project addresses critical friction points in both workforce authentication (staff, contractors) and customer authentication (150,000+ CES registrants), while evaluating cost optimization opportunities and alternative solutions. Brainforge will deliver a comprehensive discovery assessment, vendor evaluation, and phased implementation roadmap to reduce user friction, improve security posture, and potentially achieve significant cost savings.

2. Objectives

  • Reduce Authentication Friction: Eliminate excessive password prompts for workforce users and simplify customer login experience for CES registrants
  • Optimize Costs: Evaluate alternatives to current $260,000/year Okta spend, particularly addressing poor fit of monthly active user pricing for seasonal business model
  • Improve Security Posture: Address policy exceptions, increase FastPass/Collide enrollment, and standardize workforce authentication
  • Enable Vendor Compliance: Document and improve OIDC implementation across vendor ecosystem to reduce custom authentication workarounds
  • Provide Executive Decision Framework: Deliver ROI analysis and recommendations for quick wins vs. platform migration to enable leadership buy-in

3. Scope of Work

3.1 In-Scope

Discovery & Assessment (Phase 1)

  • Audit current Okta configuration for both workforce and customer tenants
  • Map authentication flows for all user journeys (staff login, contractor onboarding, CES registration, vendor SSO)
  • Document policy rules, exceptions, and order-of-operations issues
  • Analyze FastPass and Collide enrollment rates and identify gaps
  • Inventory all systems integrated with Okta and assess OIDC maturity
  • Review customer support ticket data related to authentication issues
  • Analyze monthly active user distribution across calendar year to understand pricing impact
  • Document Active Directory to Entra migration impacts

Vendor Evaluation (Phase 2)

  • Evaluate 3-5 authentication platform alternatives including Auth0, Clerk, and other modern identity providers
  • Compare pricing models against CTA’s seasonal usage patterns
  • Assess migration complexity and vendor support for CTA’s specific use cases
  • Conduct reference checks with nonprofit/event-based organizations
  • Document feature parity analysis (workforce SSO, customer identity, MFA options, passwordless)

Recommendations & Roadmap (Phase 3)

  • Identify quick wins achievable within current Okta setup (estimated effort, timeline, ROI)
  • Deliver ROI model comparing current state vs. alternative platforms (5-year TCO)
  • Provide migration roadmap with phases, risks, and resource requirements
  • Document policy change recommendations requiring executive approval
  • Deliver vendor negotiation strategy for current or new contracts

Implementation Support

  • Assist with vendor contract negotiations
  • Configure authentication flows based on chosen path (Okta optimization or new platform)
  • Develop migration plan and support execution if platform change approved
  • Implement quick wins identified in Phase 3
  • Establish monitoring and alerting for authentication health metrics

3.2 Out-of-Scope

  • Full platform migration execution without separate Phase 4 approval
  • Custom authentication development beyond configuration of chosen platform
  • Email deliverability improvements (separate workstream)
  • Ongoing managed services or long-term authentication platform support
  • Changes to vendor applications requiring their engineering resources
  • Workforce training on new authentication methods
  • Device procurement or MDM solution implementation

4. Requirements & Inputs

Access & Permissions

  • Administrative access to both Okta tenants (workforce and customer)
  • Access to Okta support tickets and change logs
  • Active Directory / Entra ID configuration documentation
  • Collide and FastPass enrollment data
  • Customer support ticket data related to authentication

Documentation

  • Current Okta contract and pricing details
  • Inventory of systems integrated with Okta
  • Vendor integration documentation (where available)
  • CES registration flow documentation
  • Authentication policy documentation and approval history

Stakeholder Availability

  • Jay Heavner (IT Lead): Weekly technical deep dives, policy review sessions
  • Katherine Bayless (Data Operations): Bi-weekly strategic alignment meetings
  • Customer service team representative: Interview regarding common support issues
  • Sample vendors: Interviews regarding OIDC implementation challenges

Data & Metrics

  • Monthly active user data for past 24 months (both tenants)
  • Customer support ticket volume by category (authentication-related)
  • Workforce size including seasonal temp staff patterns
  • CES registration funnel metrics and drop-off analysis

5. Deliverables

Phase 1: Discovery & Assessment

  • Current State Assessment Report
    • Authentication flow diagrams (workforce and customer journeys)
    • Policy rules documentation with identified friction points
    • System integration inventory with OIDC maturity scores
    • Enrollment gap analysis (FastPass, Collide)
    • Cost analysis with MAU distribution visualization
  • Executive Summary (2-3 pages)
  • Open Questions Log (items requiring further CTA input)

Phase 2: Vendor Evaluation

  • Vendor Evaluation Matrix (comparison across 8-10 criteria)
  • Pricing Comparison Model (interactive spreadsheet with TCO projections)
  • Migration Complexity Assessment for top 2-3 candidates
  • Reference Check Summary from peer organizations

Phase 3: Recommendations & Roadmap

  • Quick Wins Report (3-5 initiatives achievable within 30-60 days)
  • ROI Analysis comparing optimization vs. migration scenarios
  • Platform Recommendation with rationale
  • Migration Roadmap (if applicable) with 3-phase approach
  • Policy Change Proposal for executive review
  • Vendor Negotiation Strategy document

Phase 4: Implementation Support (Optional)

  • Implementation project plan with timeline and resource requirements
  • Configured authentication flows in chosen platform
  • Migration runbooks and testing protocols
  • Monitoring and alerting configuration
  • Post-implementation optimization recommendations

6. Project Timeline

Phase 1: Discovery & Assessment (Weeks 1-3)

  • Week 1: Kickoff, access setup, initial Okta audit
  • Week 2: Stakeholder interviews, flow mapping, policy documentation
  • Week 3: Data analysis, integration inventory, draft report

Phase 2: Vendor Evaluation (Weeks 4-5)

  • Week 4: Vendor demos, pricing analysis, migration assessment
  • Week 5: Reference checks, feature parity analysis, evaluation summary

Phase 3: Recommendations & Roadmap (Weeks 6-7)

  • Week 6: Quick wins identification, ROI modeling
  • Week 7: Final recommendations, executive presentation preparation, roadmap delivery

Phase 4: Implementation Support (Timeline TBD based on Phase 3 recommendations)

  • Dependent on chosen path and CTA leadership approval
  • Estimated 6-12 weeks for optimization track OR 12-16 weeks for migration track
  • Timeline to be scoped separately following Phase 3 completion

Total Discovery Duration: 7 weeks (Phases 1-3)

7. Assumptions

  • CTA stakeholders (Jay Heavner, Katherine Bayless, customer service team) are available for scheduled meetings and ad-hoc questions
  • Administrative access to Okta and supporting systems will be provided within first week
  • Current Okta contract documentation and pricing details can be shared with Brainforge
  • CES 2026 registration launch timeline is September 2025 ± 2 weeks (Labor Day), allowing time for pre-event implementation if urgent
  • No major organizational restructuring or M&A activity during project that would impact authentication requirements
  • Historical data on monthly active users is available and reasonably accurate
  • CTA is open to policy changes that improve security and user experience, pending executive approval
  • Vendor cooperation for OIDC maturity interviews is achievable with CTA introductions

8. Risks

RiskImpactMitigation
Okta contract renewal deadline conflicts with decision timelineHighIdentify renewal date immediately; negotiate extension if needed to allow proper evaluation
Vendor integrations too immature for modern OIDCMediumDocument integration improvement requirements as separate track; prioritize vendors with greatest authentication friction
Executive resistance to policy changesMediumBuild ROI case with user productivity and security benefits; benchmark against peer organizations; propose pilot approach
Pre-CES implementation window too shortHighIdentify quick wins safe to implement pre-event; phase larger changes to post-CES 2026 timeline
Hidden migration complexity in vendor dependenciesMediumConduct thorough integration inventory early; engage vendors proactively in Phase 2; build contingency time into Phase 4 plan
Cost savings not sufficient to justify migration effortLowEvaluate non-cost benefits (user experience, security, operational efficiency); consider quick wins within Okta as primary recommendation
Multiple authentication platforms needed for different use casesMediumEvaluate hybrid approach (e.g., workforce on one platform, customer on another); model costs and operational complexity

9. Acceptance Criteria

Phase 1 Acceptance:

  • Current state assessment accurately reflects CTA’s authentication landscape per stakeholder validation
  • All authentication flows documented with stakeholder sign-off
  • Policy rules and exceptions cataloged with business rationale captured
  • Cost analysis includes 24-month MAU history with seasonal patterns identified

Phase 2 Acceptance:

  • Minimum 3 vendor alternatives evaluated with complete pricing models
  • Migration complexity assessment includes effort estimates and risk ratings
  • Feature parity analysis covers all current Okta capabilities in use by CTA

Phase 3 Acceptance:

  • Quick wins are actionable with clear effort estimates and success metrics
  • ROI model includes 5-year TCO for optimization and migration scenarios
  • Platform recommendation includes clear rationale tied to CTA’s business priorities
  • Migration roadmap (if applicable) addresses all identified integration dependencies

Phase 4 Acceptance (if engaged):

  • Implemented solution meets acceptance testing criteria
  • All authentication flows function as designed with documented test results
  • Monitoring and alerting operational and validated
  • CTA team trained on configuration and basic troubleshooting

10. Communication Plan

Regular Meetings:

  • Weekly Technical Working Session (60 min): Jay Heavner + Brainforge team
  • Bi-weekly Strategic Alignment (30 min): Katherine Bayless + Uttam Kumaran
  • Phase Gate Reviews (60 min): End of Phase 1, 2, 3 with Katherine, Jay, and relevant stakeholders

Async Communication:

  • Dedicated Slack channel for daily questions and updates
  • Shared workspace (Google Drive or equivalent) for documentation and deliverables
  • Weekly status email summarizing progress, blockers, and upcoming milestones

Escalation Path:

  • Blockers requiring executive input routed through Katherine Bayless
  • Technical blockers with Okta or vendors escalated immediately to Jay Heavner
  • Timeline risks communicated within 24 hours of identification

11. Open Questions

These questions were not fully addressed in discovery conversations and will be answered during Phase 1:

  1. Okta Contract: What is the current contract end date and renewal structure? Are there early termination clauses?

  2. System Integration Inventory: What is the complete list of systems integrated with Okta, including custom applications and vendor systems?

  3. Policy Rule Details: Can we obtain the specific Okta policy rules configuration and order of operations causing friction?

  4. Enrollment Metrics: What percentage of workforce is currently enrolled in FastPass? In Collide? What are the barriers to full enrollment?

  5. MAU Distribution: Can we get monthly active user counts for past 24 months broken down by tenant (workforce vs. customer)?

  6. Support Ticket Analysis: What is the volume of authentication-related customer support tickets? What are the top 5 categories of issues?

  7. Workforce Sizing: What is the baseline staff count? What are seasonal fluctuations (Q4 temp staff)? How many contractors require authentication?

  8. Risk Tolerance: What is CTA’s appetite for authentication changes in the 6-8 months before CES 2026 (Jan 2026 event)?

  9. Vendor OIDC Maturity: Which vendors have you identified as having the weakest OIDC implementations causing most friction?

  10. Previous Evaluation: When Auth0 was evaluated last year, what were the specific reasons it wasn’t selected beyond cost? What requirements would need to be met to reconsider?

  11. Leadership Exceptions: Which specific policy exceptions exist for senior leadership? Are these negotiable or fixed requirements?

  12. Email Deliverability Scope: Is email deliverability (DMARC, SPF, DKIM, Sendgrid) part of this authentication workstream or a separate project?

12. Pricing

Pricing to be provided separately based on final scope confirmation following review of this SOW.

Estimated Ranges for Planning:

  • Phase 1-3 (Discovery, Evaluation, Recommendations): 7 weeks of engagement
  • Phase 4 (Implementation Support): Timeline and pricing dependent on Phase 3 recommendations and CTA leadership decisions

Brainforge will provide detailed pricing proposal following initial SOW review meeting.

13. Sign-Off

By signing below, both parties acknowledge understanding and agreement with the scope, deliverables, timeline, and approach outlined in this Statement of Work.

Client (CTA):

Name: ___________________________
Title: ___________________________
Date: ___________________________
Signature: _______________________

Brainforge AI:

Name: Uttam Kumaran
Title: Managing Lead
Date: December 15, 2025
Signature: _______________________

Appendix A: Key Stakeholders

NameRoleInvolvement
Jay HeavnerIT Lead / CTOPrimary technical contact, Okta administrator, weekly working sessions
Katherine BaylessDirector of Data OperationsStrategic sponsor, bi-weekly alignment, executive liaison
Alex FlexCustomer Service LeadCustomer authentication pain points, support ticket analysis
[CES Team Lead]CES OperationsRegistration flow requirements, CES-specific needs

Appendix B: Success Metrics

Brainforge will track these metrics during discovery to establish baseline and measure improvement:

User Experience Metrics:

  • Workforce: Average daily password prompts per user
  • Workforce: FastPass enrollment rate (target: 95%+)
  • Workforce: Collide enrollment rate (target: 90%+)
  • Customer: Authentication failure rate during registration
  • Customer: Password reset request rate
  • Customer: Support ticket volume (authentication category)

Cost Metrics:

  • Monthly active users (MAU) by month
  • Cost per MAU (current state)
  • Projected annual authentication platform cost

Security Metrics:

  • Percentage of workforce using passwordless authentication
  • Percentage of policies with exceptions
  • Vendor OIDC compliance rate

Operational Metrics:

  • Authentication-related support tickets per 1000 users
  • Average time to resolve authentication issues
  • Number of manual workarounds required for vendor integrations

Graph View