What happens when a decades‑old system that lawyers rely on every day is suddenly forced to change the locks — and the locksmiths are overwhelmed? The PACER MFA rollout has been answering that question in real time, leaving attorneys on hold for hours, court clerks scrambling to help, and judges warning of delayed dockets. The move to mandatory multi‑factor authentication is a necessary upgrade for security, but the way it was implemented exposed predictable weak points: overwhelmed help desks, ill‑tested account recovery flows, and a user base with widely varying technical resources.
MFA rollout creates immediate user pain
PACER (Public Access to Court Electronic Records) is the federal judiciary’s repository for millions of filings, briefs, opinions and other court records. For decades it has been indispensable to litigators, journalists and researchers, even as users grumbled about its aging interface and fee model. This summer and fall, the Administrative Office of the U.S. Courts began enforcing mandatory MFA for PACER accounts. Security experts applauded the step; the rollout itself, however, has been chaotic.
Lawyers reported being on hold for up to five hours as court staff “hand‑held” users through enrollment. Clerks and court IT personnel faced surges of support calls and in‑person assistance requests. Several courts warned publicly that case processing and document access could be delayed while users struggled with the new authentication steps. The immediate problem was logistical: a massive, sudden spike in enrollment attempts overwhelmed support channels and revealed that many users — solo practitioners, pro se litigants, older attorneys, and nonprofits — lacked the devices, knowledge, or time to comply smoothly.
Why the technical side mattered
Integrating MFA into a legacy application like PACER requires thorough testing of user flows, account recovery, exceptions, and capacity. When those safeguards aren’t fully operational, legitimate users can be locked out, producing the very help‑desk calls that further strain staff. Best practices in technology deployments—staged rollouts, stress testing, and robust fallback options—reduce these chokepoints. The PACER experience shows what happens when security policy outpaces operational readiness.
The consequences go beyond inconvenience
Access to court documents is foundational to transparency and fair process. Delays retrieving filings can impede litigation deadlines, hinder journalists covering unfolding stories, and pile extra burdens on parties already navigating tight court calendars. The judiciary itself acknowledged that enrollment problems could slow court operations. For small firms and solo practitioners, lost hours in virtual queues translate directly to lost billable time and delayed client matters. For pro se litigants and underresourced legal aid organizations, any added hurdle risks deterring participation in the court system.
Diverging perspectives on cause and consequence
– Security advocates: MFA is long overdue. Multi‑factor authentication significantly reduces credential‑stuffing and account takeover, common threats against legal accounts. Short‑term friction, they argue, is an acceptable tradeoff for long‑term security.
– Technologists: The disruption was predictable and avoidable. Phased enrollments, expanded support staffing, clear recovery procedures, and user testing would have reduced outages. Retrofitting security into legacy systems without operational capacity invites failure.
– Policy observers: This episode highlights the tension in public institutions between protecting sensitive data and preserving accessibility. Mandating MFA answers a real cyberthreat, but it also requires investment in support and infrastructure that many courthouses lack.
– Practitioners: Frontline attorneys and court users are blunt: the rollout cost productivity and introduced new procedural risk. Nonprofits and pro se litigants worry that higher friction will disproportionately affect the most vulnerable.
The adversarial angle: attackers vs. workarounds
Hardening PACER accounts removes a clear avenue for threat actors hunting weak authentication. But when legitimate users face delays, pressure builds to relax controls or adopt risky workarounds. Those second‑best fixes — shared credentials, temporary exemptions, or insecure recovery shortcuts — would benefit opportunistic attackers and ultimately undermine the security the MFA rollout sought to deliver.
Short‑term fixes and practical remedies
The judiciary’s Communications Office issued guidance and some courts extended deadlines or offered in‑person help, which eased but did not eliminate the backlog. Experts recommend several practical steps to reduce disruption while preserving security:
– Staged rollouts tied to user volume and risk profiles, rather than a single mandatory switch.
– Expanded staffing for support lines and temporary field teams during transition windows.
– Improved self‑service recovery options and clear, plain‑language instructions tailored to nontechnical users.
– Alternative MFA methods that accommodate low‑technology users (for example, hardware tokens or email‑based codes where feasible) while maintaining security standards.
– Pre‑rollout communications campaigns, sample walkthroughs, and targeted outreach to vulnerable user groups such as pro se litigants and small‑firm practitioners.
A test case in modernizing public systems
The PACER MFA rollout is a microcosm of a broader challenge in government technology: modernize services to meet contemporary security standards without undermining accessibility. The tradeoffs are real, but stakes in the justice system are particularly high because delays and barriers can affect rights, deadlines and public trust.
Did the courts underinvest in user support, or was the urgency of addressing cyberthreats so great that short‑term disruption was unavoidable? The answer likely contains elements of both. Whatever the cause, the PACER MFA rollout illustrates a key lesson: security improvements are as much about people and processes as they are about code. If institutions don’t plan for both technical safeguards and the human support needed to adopt them, they risk protecting systems while disrupting the people who depend on them — and that is a hollow victory.
Conclusion: MFA rollout must be security plus service
The PACER MFA rollout shows why mandatory security measures need to be married to operational capacity. MFA is essential to protect court systems from increasingly sophisticated attacks, but successful implementation requires staged deployments, robust support, and inclusive alternatives for users with limited technology access. Getting that balance right preserves both security and the accessibility crucial to a fair, functioning justice system.




