CISA director wants Microsoft, Twitter, and others to default to 2FA

Kareem Anderson

Jen Easterly - Carnegie 1

Ahead of president Biden and his administration national security strategy, the director of the Cybersecurity and Infrastructure Security Agency Jen Easterly is encouraging companies such as Microsoft and Twitter to enroll its customers into two factor authentication, by default.

According to a report from Bloomberg, Easterly has expressed her disappointment of the low multifactor authentication protection numbers coming from Microsoft and Twitter via their own transparency reports, at a speech she gave on Monday at Carnegie Mellon University.

The impetus of Easterly’s comments come as she highlights how lack of basic protections and aging software are leading to increased ransomware attacks that are having effects on a wide range of national services that include energy, supply chains, hospitals, schools, food production, and water treatment and management.

In Easterly’s remarks at Carnegie, she references that while Microsoft has roughly a quarter of its enterprise administrators enrolled in 2FA use, the number is far too low. Twitter was also used as an example as it has less than 3 percent of its roughly 200 million users making use of 2FA at the moment.

While Easterly is strongly encouraging companies such as Microsoft and Twitter to take more protective accountability of user data, she has also backed legislation that would incentivize businesses to do more via liability. Companies that failed to mitigate inordinate risk through weak default settings that inevitably expose customers to undue risk, would be held liable is just one of many forms of legislation Easterly has supported.

Technology manufacturers must take ownership of the security outcomes for their customers. The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers.

Easterly has applauded Apple’s 95 percent 2FA adoption rate as the company defaults customers to using multifactor authentication through a collection of devices, and encourages companies she criticized to follow their lead.

Tangentially related, Twitter recently implemented a new policy that would charge users an $8 monthly fee to protect their accounts with 2FA, starting March 20, 2023. The irony of Twitter’s implementation is that it is removing 2FA from users who have currently employed it for free to then turn around and charge for it.

As for Microsoft, the company has slowly been nudging users of Outlook, OneDrive, Office 365 and MSA account holders to enable 2FA, but will need to flip a switch for system admins much quicker as they handle the security of several hundred or thousands of unsuspecting users a day.

Neither Microsoft nor Twitter have responded to Bloomberg’s follow up regarding Easterly’s speech, at the moment.