[eranation]

"Enforced mandatory Multi-Factor Authentication (MFA) for all employees when accessing Segment-owned workspaces and performing administrative actions in the Segment app."

This should always be step #1, don't wait for an incident.

[tptacek]

Really, what step #1 should be is getting all these applications behind an SSO/IDP, and then using the policy controls in the IDP to enforce MFA for users.

We've surveyed startup dir/security's (and the like) and this is almost universally in everyone's top 3, and the leading contender for #1.

[eranation]

Definitely better, I 100% agree.

[blaisio]

Yeah I'm surprised more people didn't bring this up. It is a very basic step that is required for a lot of security certifications. I'm actually pretty shocked segment didn't have it in place.

[abledon]

MFA means all employees are now issued a yubikey to login?

[tptacek]

Unlikely. TOTP, Duo Push, and SMS are all more popular that U2F/WebAuthn.

[eranation]

Yep. Those are still prone to phishing for a clever attacker and sleepy employee. For most users - that should be fine, but for the ones with the admin access to the nuclear reactor, U2F/FIDO2/WebAuthn probably worth the extra effort.