# Two-Factor Herd Immunity: Mozilla 2-factor authentication

Recently Mozilla (you may know them as Firefox) [moved to require](https://blog.mozilla.org/addons/2019/12/09/secure-your-addons-mozilla-org-account-with-two-factor-authentication/) all add-on authors to use two-factor authentication. They did this because of the concern about supply-chain attacks. Specifically, these 3rd-party add-on authors were the subject of ongoing spear-phishing attacks, trying to gain control of the software which people like you and I have installed.

I've [written](https://www.agilicus.com/the-supply-chain-security-risk-in-action-eslint/) about supply-chain attacks [before](https://www.agilicus.com/docker-hub-hack-secure-your-supply-chain/). Its a huge risk. It means things can work their way into the internal of your trusted sphere, put there by \***you**\* as you deploy things.

Its this supply-chain which is one of the drivers of my key philosophy: [Defense In Depth](https://www.agilicus.com/project/defense-in-depth/). Its Defense in Depth that caused me to choose a Shield on a Compass as a logo: the shield represents defense, and the compass represents the threat vectors, including east-west (internal to internal).

I am so happy to see a big name like Mozilla moving to require 2FA. I use 2FA for everything I can, and so does everyone on team Agilicus. I dream of the day where sites like Github \***enforce**\* 2FA rather than merely make it optional.

You see, there's this concept called [Herd Immunity](https://en.wikipedia.org/wiki/Herd_immunity). The concept is, once you inoculate enough of the population, the rest are also dramatically protected. If we took a couple of key, large, popular sites, and got them to force the use of Two-Factor Authentication, the users of them would then start using it elsewhere. And so on. And then, well, most people would use it everywhere and would \***demand**\* proper 2FA on all sites (including their [banks](https://blog.donbowman.ca/2019/10/03/canadian-banks-still-dont-have-2fa-who-are-the-real-criminals-here/)).

And once this happy state happens, spear-phishing becomes much less effective and the criminals move on elsewhere.

So, Mozilla, I salute you. You picked an audience that was capable of enabling 2FA, you did the right thing in making it mandatory, and I hope others follow.