If you believe something will move the needle for security, would you be willing to put your money on it? I’m not asking you to gamble on a new technology or invest in a new tech company. This is a tactic to engage users in security-minded behavior.
Recently, we were in a position to recommend developers for one of our clients turn on two-factor authentication (2FA) for their GitHub accounts. Why would this be of importance? To protect the code and any stored credentials with it. Although not a good practice, configuration files with credentials are often stored in a code repository–perhaps even by accident. In 2016, Uber experienced a high profile data breach where a hacker obtained credentials to the company’s client and employee data through credentials checked into a code repository. Two factor authentication may have been enough to deter the hack, which led to financial loss and even potential criminal liability for Uber. Last year, there were reports of Google Chrome extension developers coming under phishing attacks as well.
Without a mandate, will employees voluntarily turn on 2FA? One way to incentivize them is with a small bonus or giveaway. Each person on the team that shows a screen capture of their 2FA settings turned on will be entered for a chance to win a gift card, a Friday afternoon off, etc.
Think about the people in your workplace that have superuser access or access to the most sensitive information. IT administrators? Payroll? Purchasing? HR? If you can’t require two-factor authentication, try to incentivize its use through giveaways or other rewards. And keep in mind it may not be two-factor authentication that reduces a significant threat. It may be something else. Litmus test for importance: willingness to spend financial resources on it.