How to 2FA Everything Pt 1
Developers must sell in order to build
In helping a bunch of different companies integrate 2FA, I’ve learned that my job as a salesperson is less about selling and more about Engineer Coaching. On virtually every technical team, there’s at least one engineer who really wants to improve security, but no one listens to them. They’re silenced. My job is to help them develop a voice.
Develop more than software; develop a voice.
The whole ordeal honestly feels like a weird outtake from Hitch, except instead of seducing romantic partners, our aim is to convince reluctant colleagues. It’s weird, but it works. And it helps the devs feel like they have a bit more control over what they’re building.
There are a bunch of different steps I usually walk them through, but for small technical teams (<5 stakeholders), it typically starts with defining consequences for inaction. Sales folk would call this FUD (fear, uncertainty, and doubt), but we’re coaching, not selling.
Define Consequences for Inaction.
I help the engineer find out what scary things could happen if a data breach occurred. How much would it cost to clean up a breach? How much consumer data would be compromised, etc? We record the questions and answers.
After we document the hypothetical, we move on to diagnosing the current setup. We poke holes in the current customer authentication flow, noting as many vulnerabilities as possible.
Once we have a strong grasp of the costs of a breach and vulnerabilities in our current offering, we’re ready to make the approach. Some engineers like to drip questions/messages over through Slack, others like to bring them up in Standups. The particular style is less pertinent than the preparation.
Next Steps
When we’ve gotten the team aware of the problem and bought into doing something about it, we’re almost home free. At this point, the developer doesn’t really need my help anymore. The dev can either:
a. Propose a few different options with pros/cons, specs
b. Just ship it.
More times than not, the dev just ships the product, the teams signs off, and everyone is happier about improving security.
I find this whole coaching process to be far more rewarding for both parties than simply selling software. I’ve got a few more tips to share, but for now, I’d love to hear what you think and any specific areas you’d like to see me address in my next post.
Darrell leads business development at Clef. If two-factor authentication has been in your backlog for months, but still hasn’t gotten prioritized, check out Clef’s new product Instant2FA.com — it’s two-factor authentication that takes minutes to integrate instead of weeks.
