e7771f13 image

Two-Factor Herd Immunity: Mozilla 2-factor authentication

Recently Mozilla (you may know them as Firefox) moved to require all add-on authors to use two-factor authentication. They did this because of the concern about supply-chain attacks. Specifically, these 3rd-party add-on authors were the subject of ongoing spear-phishing attacks, trying to gain control of the software which people like you and I have installed.

I’ve written about supply-chain attacks before. Its a huge risk. It means things can work their way into the internal of your trusted sphere, put there by *you* as you deploy things.

Its this supply-chain which is one of the drivers of my key philosophy: Defense In Depth. Its Defense in Depth that caused me to choose a Shield on a Compass as a logo: the shield represents defense, and the compass represents the threat vectors, including east-west (internal to internal).

I am so happy to see a big name like Mozilla moving to require 2FA. I use 2FA for everything I can, and so does everyone on team Agilicus. I dream of the day where sites like Github *enforce* 2FA rather than merely make it optional.

You see, there’s this concept called Herd Immunity. The concept is, once you inoculate enough of the population, the rest are also dramatically protected. If we took a couple of key, large, popular sites, and got them to force the use of Two-Factor Authentication, the users of them would then start using it elsewhere. And so on. And then, well, most people would use it everywhere and would *demand* proper 2FA on all sites (including their banks).

And once this happy state happens, spear-phishing becomes much less effective and the criminals move on elsewhere.

So, Mozilla, I salute you. You picked an audience that was capable of enabling 2FA, you did the right thing in making it mandatory, and I hope others follow.