Locking Down Your Email: The First Step to Securing Your Online Accounts
We all rely on digital accounts to manage our daily lives, from email and social media to online banking and shopping. However, with convenience comes a risk: these accounts can be vulnerable to cyber attacks and unauthorized access. This is why securing your online accounts is essential to protecting your personal and professional information from hackers, identity thieves, and other bad actors.
In this blog post, we'll focus on the first steps you can take to secure your most important online account. Your main email account is often the primary means of communication for personal and professional purposes, and it's also often used for password resets on other accounts.
We'll cover a basic security measure everyone should take: enabling two-factor authentication. By following these steps, you can significantly reduce your risk of falling victim to a cyber attack and ensure that your personal information remains safe and secure.
Let's get started!
2 Factor Authentication
Two-factor authentication is a simple and effective way to add an extra layer of security to your online accounts. With 2FA, you'll need to provide a code or accept a prompt in addition to your password to access your account. This code or prompt is usually sent to your phone, email, or generated by an authentication app. Another option for 2FA is to use a hardware security key, which is a physical device that you plug into your computer or mobile device to authenticate your login.
Enabling 2FA is a simple process that usually involves going to your account settings and turning it on. Most major online services and social media platforms, including Google, Twitter, and LinkedIn, offer 2FA options, and many of them also support hardware security keys.
When setting up 2FA, you'll typically have a few options for receiving the authentication code, such as via SMS or a dedicated authentication app like Microsoft Authenticator, Google Authenticator or Authy. It's generally recommended to use an authentication app or hardware security key over SMS, as SMS can be vulnerable to interception by attackers. But something is better than nothing.
Using 2FA can significantly reduce the risk of unauthorized access to your accounts, even if your password is compromised. It's an easy and effective security measure that everyone should use to protect their online accounts.
2FA options
Let's go through the different options to implement 2FA and then see how to do it in your email platform.
Device Prompts
You can select from a list of devices that are associated with your account to be prompted when you try to login into a new device or perform a security sensitive action. You will get a notification in those devices asking you if the access should be allowed.
This assumes that you are in control of such devices and that nobody else does. If someone else can use the devices you pick and guesses your password, they could allow themselves to login from a new devices and take over.
Make sure to not share your devices and use strong pass codes and biometrics to lock them.
This works with Apple Devices for iCloud; devices with Google Accounts for Google; and with the Microsoft Authenticator App for Microsoft Accounts.
Security Keys
Security Keys are small and can often be carried in your key ring or in a neckless. They connect to your devices often by USB or NFC and you have to physically touch them to grant access to your account. This is a great security option but it requires you to purchase a security key, so it might not be useful as an immediate step for this blog post but it'' definitely something I recommend investigating and applying down the road.
This assumes you are in control of your security key and nobody else does. If someone has your security key and guesses your password then they can grant access to themselves and take over.
YubiKeys are my favourites.
Authenticator Apps
These apps work by generating a code that changes every few minutes. Like a lot of bank tokens. These just happen to be software based instead of being a stand alone device. You then enter this code into the login screen when requested after your password. Examples of these are Microsoft Authenticator, Authy, Google Authenticator and Duo.
This assumes you are in control of the device where the app is installed and nobody else does. If someone else has access to the device and guesses your password they can take over.
Make sure to not share your devices and use strong pass codes and biometrics to lock them. Also you generally can lock the authenticator apps with biometrics and PINs.
SMS or Call
This method is similar to the authenticator app but instead of using an app to generate the code, you receive the code in an SMS or a phone call.
This assumes you are in control of your phone number, which is not the same of being in control of your phone. Although it's not normal, there have been cases of phone number take over in which an attacker pretends to be the victim and gets the phone company to assign the phone number to a SIM card they possess, thus getting all the 2FA codes of the victim. This attack is very effective because it doesn't just get the codes to the attacker, but it also make the victim to lose control of the phone number that they are expected to call from to ask for help.
That doesn't happen very frequently but a determined attacker could execute it. This is why I don't recommend this method unless it's the only method supported by the service you are trying to protect. 2FA SMS is better than no 2FA, but there's no excuse for it nowadays, see the other methods.
Backup Codes
This is the method of last resort. This codes are always generated when you use any of the previous methods and you are prompted to store them in a secure place. Please don't skip that.
The backup codes are a list of several very short codes that you can use to access your account. You can use each of those codes only once.
This method is useful in case of emergencies if you can't execute any of the previous methods. For example if you don't have access to:
- Your prompt devices (Far away, lost, stolen or without battery)
- Security Key (Far away, lost or stolen)
- Authenticator app (uninstalled and wiped out; device far away, lost, stolen or no battery)
- Phone number (phone or SIM card far away, lost or stolen, phone number stolen by phishing the phone company, no celular connectivity)
In those scenarios you can indicate that you can't use any other method and you'll be prompted to enter one of the codes. After successfully using one of the codes make sure to strike that one out, since you can use it only once. If you used a lot of the codes and are running short, you can go and generate a new set to be ready for next time.
Let's do it now
Here you have the instruction on how to implement 2FA in Google, Apple, Microsoft. I couldn't find a step by step guide from Hey.com but they support it.
Last considerations
You need to consider your risks and different scenarios. 2FA makes your account more difficult to hack but it could also make it difficult for you to access your account if you lose access to the second factor. Don't let this deter you from improving your security. Just backup those 2FA codes and think about the different scenarios that could present to you and what you would do.
A typical example is: you are on a trip, your backpack gets stolen with your phone, all your digital devices and your hardware security key. Let's say you manage to be able to get a phone or computer, you try to get into your accounts but you realize but you don't have access to SMS, hardware key, or the other devices that could grant you access or your authenticator app. 😨 Do you have backup codes with you?
Please don't get sad thinking about this, just prepare yourself for such a scenario. For example there are options with Google and Apple to have a trusted person to be able to grant access to your account in such scenarios. But we'll get back to how to address this in a future post. For now pick a method, implement it, back up your codes into paper and store it in one or more secure locations.
If you have questions, find me in Twitter. And subscribe to be notified of new posts.