- Enable 2FA - Passkey - Managed by vault and rotate every 3/6/12 months (depending on the risk level) - Recovery Codes - Rotate every 3/6/12 months (depending on the risk level) - TOTP - Managed by Vault and rotate every 3/6/12 months (depending on the risk level) - Trusted Devices - Secure autogenerated vault managed password and rotate every 3/6/12 months (depending on the risk level) - Trusted recovery email - Revoke old/unused device and app accesses - Revoke unused app codes and rotate old ones