Re: Not Surprised
I'm really surprised that there would be a question about how I'm able to enforce 2FA on all the systems I administer. @Throatwarbler Mangrove's response summed it up really rather well I felt:-
"
Admin: "Welcome to $company. You have your choice of using an RSA token or smartphone token app to log in. Please set your PIN now."
Sorted.
"
I've done this for the last 3 years with several different companies but to be fair, the largest was only about 120 people. They were in 5 offices in the UK, Hong Kong and China, as well as quite a few home based users though. It wasn't easy but it was easier than fixing a breach caused by the criminally awful passwords users choose, and easier for them to deal with than dealing with me leaving. I always explained the reasons why we were using it and made easy to follow documentation easily available (I even did a video). But the secret sauce had two ingredients: a splash of beligerence (see @Throatware Warbler's reply) and a generous helping of trickery, which was to make it as easy as possible for a few key execs, even if that meant doing everything 2FA related for them so that when people complained to them they couldn't understand what the fuss was about and told people to just do as I said.
Biting the hand that feeds IT
