As part of continuously improving the security of Cumulocity, we plan to roll out two-factor authentication on administrative user accounts as a default (instead of an option, as it is currently). We believe that this reduces the chances of unauthorized access to data.
There is one thing that existing users need to be aware of: With two-factor authentication as default for administrative users, you cannot use these users for devices. Obviously, devices cannot enter the second factor. So please make sure that your devices do not use administrative users.
We strongly recommend to use very limited permissions for devices whenever devices leave your development. By default, the standard device registration process in Cumulocity will take care of this and we encourage you to make use of it.