Step 2: Require Two-Factor Authentication for All Users

It’s also important to require 2FA for all your employees. Your business email provider should allow you to toggle a setting that requires it to be set up for everyone, and if not, should at least tell you who has and who hasn’t set it up.

Remember how we discussed the different types of two-factor authentication? This is the point where you have to think a bit more about which types of two-factor authentication you use. You are going to start having accounts that have really sensitive access, like the administrator account to your business email provider. They have what is referred to as “privileged access,” which means they have permissions to perform risky actions like changing users or security configurations, so you want to make sure the security measures for accessing these accounts are as strong as they can be.

For your administrator accounts, you want to use stronger 2FA setups. This includes using hardware security keys or push notifications to your phone. It is unfair to assume that your staff know how to use a security key (or even know what they are, and how to keep them safe)—they don’t get security training and are not expected to be technically skilled. It is OK for them to use the other forms of 2FA, such as a code delivered via text message, if their accounts don’t have any administrative access.

But My Team Can’t Do Two-Factor Authentication Because …

In 2010, 2FA was a weird, new, crazy thing security people did. Google Authenticator (the app for getting one-time password tokens for 2FA) had just been created and published.

In 2015, 2FA was still not mainstream, but was picking up popularity. This was around the time sales of Yubico (the maker of the popular hardware security key, Yubikey) started booming after some successful partnerships and system integrations.

In 2018, 2FA was gaining popularity as the main step you could take to protect your digital accounts. Yet at that time, Google revealed over 90% of Gmail users did not have 2FA enabled.

Today in 2022, 2FA is indispensable. Even the popular video game Fortnite gave their users free in-game content to entice them to turn on 2FA.

If employees are still unfamiliar with 2FA, you may use this as an opportunity to echo the security culture and values you want your business and employees to live.

There may be some valid reasons for having challenges with 2FA, such as:

• A shared mailbox user account that needs to be accessed by more than one person.

• You want to give a copy of your passwords to someone else “just in case” you can no longer access them.

• The 2FA options available are not accessible to employees with disabilities, or employees don’t have a smartphone to receive a call, text message, or app notification.

While these are valid challenges, there are always other options to explore, such as:

• Using 2FA features available in your password manager. This means when you share the password with another employee using your password manager, they get the 2FA code along with it.

• Using a physical security key locked within an office safe, that you and another team member can access.

• Picking a business email provider that provides multiple 2FA options, and helping your employees pick and set up one that works for them.

• Working closely with an employee who can’t access 2FA to make sure they set a long, unique password and can keep it somewhere safe. That password will be their account’s only line of defense, so making sure the employee sets that up safely will be very important.

​danger​ Disabling 2FA for an account needs to be an exception, not the rule. As mentioned earlier, we are aiming for “secure by default.” If you deviate from that rule, exceptions need to be made on a case-by-case basis.