Security Engineer at Rocket Chat
Enterprise messaging platform forced to spill secrets
The recommendation is always to make the use of 2FA mandatory by default and educate the users about the importance of having additional security mechanisms enabled. Even the scenario of a low-privileged user not using the 2FA can be dangerous because if an attacker hijacks any trusted account, it can be used to perform social engineering inside the company to exfiltrate private data.