security-alliance · shallem · Apr 8, 2026 · Apr 8, 2026
diff --git a/docs/pages/config/contributors.json b/docs/pages/config/contributors.json
@@ -665,5 +665,19 @@
       { "name": "New-Joiner", "lastActive": "2026-03-17" },
       { "name": "Active-Last-7d", "lastActive": "2026-03-23" }
     ]
+},
+"shallem": {
+    "slug": "shallem",
+    "name": "Seth Hallem",
+    "avatar": "",
+    "github": "https://github.com/shallem",
+    "twitter": "https://x.com/seth_certora",
+    "website": "https://www.certora.com/",
+    "company": "Certora",
+    "role": "steward",
+    "job_title": null,
+    "description": "Steward of Opsec framework",
+    "badges": [
+    ]
   }
 }
diff --git a/docs/pages/opsec/mfa/overview.mdx b/docs/pages/opsec/mfa/overview.mdx
@@ -3,6 +3,9 @@ title: "Multi-Factor Authentication | Security Alliance"
 tags:
   - Security Specialist
   - Operations & Strategy
+contributors:
+  - role: wrote
+    users: [shallem]
 ---
 
 import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
@@ -15,7 +18,32 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
 <TagList tags={frontmatter.tags} />
 <AttributionList contributors={frontmatter.contributors} />
 
-Placeholder for Multi-Factor Authentication content
+As noted in the Overview, MFA is necessary but not sufficient as an OpSec strategy. That said, if you have not yet
+implemented MFA you are making a grave mistake. Changing course had better be the first thing on your agenda
+as soon as you stop reading this page.
+
+Not all MFA is created equally. I recommend the following:
+
+1. **Stay away from text and email as MFA methods.** There are innumerable reasons why neither of these methods
+   is a good idea. Suffice it to say, best practices have long since outlawed these MFA methods.
+
+2. **TOTP (e.g., Google Authenticator) is good but not great.** Why? It is easy enough to trick users into
+   entering TOTP codes into a phishing site. The methods cited below are more difficult to exploit. Also, any manual typing is susceptible to keyloggers.
+
+3. **Push-based MFA is better.** Why? Because initiating a push notification on iOS/Android requires that the
+   device itself be enrolled with the identity provider. Phishing sites cannot initiate a push notification to
+   the Gmail app, for example, without a major compromise of Google's infrastructure.
+
+4. **Passkeys are the best.** Biometrics are hard to fake, and in a world where attackers are looking for low
+   hanging fruit, passkeys protected by biometric factors are typically too hard for them to reach.
+
+5. **Key admins (e.g., your G Suite admin) should be using Yubikeys.** They are inexpensive and easy. There is
+   no excuse here for not protecting the keys to the castle with the industry gold standard for MFA.
+
+Once you have MFA in place, you are ready to move on to the next step in your Opsec framework. However, before you declare your MFA
+journey a success, make sure you haven't forgotten any of your communication tools along the way. In this
+industry we often use a combination of X, Signal, and Telegram, and each of them can and should be protected
+with an additional authentication factor. Also note that the more you allow one-off sign-ins to each tool that you use, the more you have to be concerned with the MFA features of every individual tool. Implementing single sign-on as much as possible is the best way to enforce MFA across every tool that you use.
 
 </TagProvider>
 <ContributeFooter />
diff --git a/utils/fetched-tags.json b/utils/fetched-tags.json
@@ -486,6 +486,18 @@
     "/guides/account-management/vercel": [
       "DevOps Accounts"
     ],
+    "/guides/endpoint-security/hardware-security-keys": [
+      "Security Specialist"
+    ],
+    "/guides/endpoint-security/password-manager-endpoint-hardening": [
+      "Security Specialist",
+      "Operations & Strategy",
+      "Engineer/Developer"
+    ],
+    "/guides/endpoint-security/ssh-client-and-key-management-hardening": [
+      "Engineer/Developer",
+      "Security Specialist"
+    ],
     "/guides/endpoint-security/zoom-hardening": [
       "Security Specialist",
       "Operations & Strategy"
@@ -895,7 +907,8 @@
     ],
     "/opsec/endpoint/overview": [
       "Security Specialist",
-      "Operations & Strategy"
+      "Operations & Strategy",
+      "HR"
     ],
     "/opsec/google/overview": [
       "Community & Marketing",
@@ -1269,45 +1282,45 @@
     ]
   },
   "sectionMappings": {
-    "Community Management": "community-management",
+    "AI Security": "ai-security",
     "Awareness": "awareness",
-    "Operational Security": "opsec",
-    "OpSec Core Concepts": "opsec",
-    "While Traveling": "opsec",
-    "Wallet Security": "wallet-security",
-    "Signing & Verification": "wallet-security",
-    "Multisig for Protocols": "multisig-for-protocols",
-    "Multisig Administration": "multisig-for-protocols",
-    "Operational Runbooks": "multisig-for-protocols",
-    "For Signers": "multisig-for-protocols",
+    "Community Management": "community-management",
+    "DevSecOps": "devsecops",
+    "Isolation & Sandboxing": "devsecops",
+    "DPRK IT Workers": "dprk-it-workers",
+    "Encryption": "encryption",
+    "ENS": "ens",
     "External Security Reviews": "external-security-reviews",
     "Smart Contract Audits": "external-security-reviews",
-    "Vulnerability Disclosure": "vulnerability-disclosure",
-    "Infrastructure": "infrastructure",
-    "Domain & DNS Security": "infrastructure",
-    "Monitoring": "monitoring",
     "Front-End/Web Application": "front-end-web-app",
+    "Governance": "governance",
+    "Identity and Access Management IAM": "iam",
     "Incident Management": "incident-management",
     "Playbooks": "incident-management",
     "Incident Response Template": "incident-management",
     "Templates": "incident-management",
     "Runbooks": "incident-management",
-    "Threat Modeling": "threat-modeling",
-    "DPRK IT Workers": "dprk-it-workers",
-    "Governance": "governance",
-    "DevSecOps": "devsecops",
-    "Isolation & Sandboxing": "devsecops",
+    "Infrastructure": "infrastructure",
+    "Domain & DNS Security": "infrastructure",
+    "Monitoring": "monitoring",
+    "Multisig for Protocols": "multisig-for-protocols",
+    "Multisig Administration": "multisig-for-protocols",
+    "Operational Runbooks": "multisig-for-protocols",
+    "For Signers": "multisig-for-protocols",
+    "Operational Security": "opsec",
+    "OpSec Core Concepts": "opsec",
+    "While Traveling": "opsec",
     "Privacy": "privacy",
-    "Supply Chain": "supply-chain",
-    "Security Automation": "security-automation",
-    "Identity and Access Management IAM": "iam",
+    "Safe Harbor": "safe-harbor",
     "Secure Software Development": "secure-software-development",
+    "Security Automation": "security-automation",
     "Security Testing": "security-testing",
-    "AI Security": "ai-security",
-    "ENS": "ens",
-    "Safe Harbor": "safe-harbor",
-    "Encryption": "encryption",
+    "Supply Chain": "supply-chain",
+    "Threat Modeling": "threat-modeling",
     "Treasury Operations": "treasury-operations",
+    "Vulnerability Disclosure": "vulnerability-disclosure",
+    "Wallet Security": "wallet-security",
+    "Signing & Verification": "wallet-security",
     "Guides": "guides",
     "Account Management": "guides",
     "Endpoint Security": "guides",