I got an email today from one of my vendors letting me know that they'll be requiring 2FA beginning January 12. I logged into my account, and in doing so learned that I had already set up 2FA.
A couple of things:
1) I logged in to set it up, thinking they must not have offered it before. It turned out that it was there as an option, and of course I had enabled it when I created the account some time ago.
2) I’m also thinking, “What!!!??? This is a major global provider of OT/ICS equipment, and they’re just NOW getting around to making 2FA mandatory?”
My guess is they realized they needed it to be mandatory, not optional, for CMMC compliance.
It’s too bad that it takes regulation to make companies do the right thing.
1