MFA for All Access Points

Standard Procedure

This procedure outlines how to enforce Multi-Factor Authentication (MFA) for all team members and any external collaborators we work with on key platforms such as Twitter, GitHub, Discord, Telegram, and other critical applications.


Step 1: Notify Team Members and Collaborators

  1. Communication: Send an official email or message through internal communication channels (Slack, email, etc.) informing everyone of the new security policy to implement MFA.

    • Key points to include:

      • Rationale for MFA implementation (enhanced security, protecting sensitive data, preventing unauthorized access)

      • Deadline for completion (e.g., within the next 7 days)

      • Links to resources or guides for setting up MFA on required platforms

Step 2: Identify Required Platforms

  • The following platforms will require MFA for all accounts:

    1. Twitter

    2. GitHub

    3. Discord

    4. Telegram

    5. Any other productivity or social media tools (e.g., Google Workspace, Microsoft 365, Slack, etc.)

Step 3: Setting Up MFA for Each Platform

Twitter

  1. Log into Twitter.

  2. Go to Settings and privacy > Security and account access > Security.

  3. Click Two-factor authentication and enable:

    • Text message (SMS)

    • Authentication app (recommended)

    • Security key (optional for additional security)

  4. Follow the prompts to set up your preferred method.

GitHub

  1. Log into GitHub.

  2. Go to Settings > Security > Enable Two-factor Authentication.

  3. Choose either:

    • Authentication App (recommended for GitHub)

    • SMS Authentication

  4. Follow the steps to complete the setup.

Discord

  1. Log into Discord.

  2. Go to User Settings > My Account > Enable Two-Factor Authentication.

  3. Install an authentication app and scan the provided QR code.

  4. Save backup codes for account recovery.

Telegram

  1. Open Telegram on your device.

  2. Go to Settings > Privacy and Security > Two-Step Verification.

  3. Set up a password for two-step verification.

  4. Optionally, add an email for account recovery.

Other Platforms (Google Workspace, Slack, Microsoft 365, etc.)

  1. Google Workspace: Log into your Google account > Security > 2-Step Verification > Follow the steps.

  2. Slack: Log into Slack > Account Settings > Two-Factor Authentication > Enable 2FA using SMS or an authentication app.

  3. Microsoft 365: Log into your Microsoft account > Security settings > Additional security options > Enable MFA via app, SMS, or security key.

Step 4: Secure Storage of Web3 Wallet Seed Phrase in a Password Vault

  1. Importance of Securing the Seed Phrase:

    • The seed phrase for your Web3 wallet is the key to your assets and accounts on the blockchain. If compromised, it can lead to loss of funds and unauthorized access.

    • Ensure that every team member using a Web3 wallet securely stores their seed phrase in a password vault. Never store seed phrases in plaintext or on unsecured devices.

  2. Procedure for Securing the Seed Phrase:

    • Choose a Password Vault: Use a trusted and secure password manager, such as 1Password, LastPass, or Bitwarden, to store your seed phrases. Ensure the vault itself has MFA enabled.

    • Add the Seed Phrase:

      1. Open your password vault and create a new entry.

      2. Name the entry according to the wallet (e.g., “MetaMask Wallet Seed Phrase” or “Ledger Wallet Seed Phrase”).

      3. Enter the seed phrase in the secure note section of the vault.

      4. Optionally, add any related information such as wallet address or backup method (if necessary).

    • Encrypt and Back Up: Ensure your password vault is encrypted and has a reliable backup solution. This will safeguard the seed phrase in case of device loss or failure.

    • Never Share the Seed Phrase: Reiterate that seed phrases should never be shared with anyone, even within the team. If seed phrases are ever needed for recovery, the authorized team member should handle it directly.

  3. Admin Verification:

    • IT or security admin should verify that all team members have securely stored their seed phrases by requesting confirmation.

    • Periodically audit this process to ensure continued compliance with security protocols.

Step 5: Verification and Documentation

  1. Self-verification: Once MFA is set up, each individual must confirm setup via email or an internal form.

  2. Admin verification: IT or security team members should verify MFA status for critical accounts by requesting screenshots (with sensitive data redacted) or using platform security dashboards to track activation.

  3. Record-keeping: Maintain an internal record of MFA completion by team members and collaborators. Use a secure spreadsheet or management tool to log MFA status for each person/platform.

Step 6: Follow Up with External Collaborators

  1. External Notification: Send a similar MFA enforcement message to all external collaborators or contractors we work with, asking them to:

    • Set up MFA on relevant platforms.

    • Confirm completion with a response or proof (screenshot, email confirmation).

  2. Non-compliance: If external collaborators do not comply, limit or restrict access to shared resources until they meet the security requirements.

Step 7: Periodic Reviews

  1. Quarterly Audits: Perform regular security audits every quarter to ensure MFA compliance is maintained across all platforms.

  2. Policy Updates: Update the team and external collaborators if additional platforms or security measures become necessary.

Step 8: Support and Troubleshooting

  1. Provide step-by-step guides, links to help centers, or offer IT support for anyone experiencing difficulties setting up MFA.

  2. Ensure that backup recovery options are in place (backup codes, recovery emails) in case of lost devices or authentication issues.


By following these steps, we can enhance our security and ensure that all team members and collaborators are adequately protected across essential platforms while safeguarding critical Web3 wallet seed phrases.

Last updated