Las Vegas, NV ― Black Hat ― According to insights from a security strategist at GitHub on Thursday, the success of a company’s endeavor to implement two-factor authentication (2FA) for its employees hinges on the concept of psychological safety.
During a briefing session held at Black Hat, John Swanson, the Security Strategy Director at GitHub, delved into the remarkable journey of the world’s largest open-source community, where millions of developers were guided toward adopting two-factor authentication. GitHub’s initiative was driven by the goal of enhancing global safety by safeguarding developers and fortifying the software supply chain right from its inception at the hands of developers.
“In order to reduce the chances of both open source and private software projects being compromised through social engineering or other methods of account takeover, broad use of 2FA remains the best option to harden our ecosystem’s defenses,” elaborated Swanson, introducing his talk.
Having overseen a team of incident responders and threat detection experts for a span of four-and-a-half years, Swanson found himself at the helm of the 2FA project. His mission was clear, to implement the initiative “without users getting locked out of their accounts or increasing the workload” for GitHub’s support teams. Drawing from years spent identifying victims of account compromise and effectively addressing these security breaches, the security director recognized the pressing need to rectify the situation at its outset.
The challenges associated with 2FA echoed a timeless security dilemma: while 2FA offers heightened security, its implementation often clashes with business objectives. Swanson recognized this conundrum and established a set of guiding principles to navigate these complexities. Among these principles, he emphasized that “security improvements must not come at the expense of user experience (UX) or make the product inaccessible.” If 2FA is not usable and durable, millions of users are not likely to enroll in the security measure.
To accomplish the mission, it was pivotal to establish interpersonal trust and collaboration across the open-source home. Many of the personnel from different departments at GitHub, such as engineering, product, security, support, customer success, sales, sales engineering, internal communications, public relations, marketing, and legal, were assembled to discuss and enforce the 2FA initiative.
“Psychological safety is especially important,” said Swanson. “We had to build and maintain a high trust environment where folks feel safe and value, so they can bring their best work and ideas forward without hesitation.” To make his point clearer, he showed the audience a picture of airshow. “The pilots here have to develop an enormous sense of share trust and accountability to fly 500 miles an hour without crashing into each other.”
For the same reason, the strategist recommended a slow transition to 2FA. For instance, it may include email reminders 45 days before the implementation and validations on 2FA setup after 28 days of adoption. “Speed kills,” stated Swanson. “We set an expectation early with our project team that if data showed that our enrollment campaign was causing the users to struggle, we slow down or pause. Slow and steady wins the race.”
Furthermore, customer-facing roles were highlighted. Considering business process, policy, and awareness, the teams for support, customer success, and sales were essential. “Engage your PR, marketing, and internal communications teams to be clear, consistent, and transparent by using multiple forms of communication,” stressed Swanson.
The director shares his strategic planning template for public use. This template guides security teams to explore problems in order to set adequate objectives and operating principles.
The quotes in this article were condensed and edited for clarity.