Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication items to verify themselves. This process protects both the user’s credentials and the user’s account.

Download Auth For Android, iPhone, Mac, and Windows Computers

Things to Know

• Secure Yourself by Using Two-Step Verification on These 16 Web Services
• What Happens If I Use Two-Factor Authentication and Lose My Phone? by Lifehacker.com
• How to Avoid Getting Locked Out When Using Two-Factor Authentication by How-To-Geek
• Secure Yourself by Using Two-Step Verification on These 16 Web Services
• Here’s Everywhere You Should Enable Two-Factor Authentication
• List of websites and whether or not they support 2FA.
• Secure Your Accounts and Passwords With a Hardware Token
• LifeHacker – How Do I Get Into My Email If I’ve Lost My Recovery Codes?

Protect Your Accounts

Most digital accounts have settings that can help regain control of your account if it’s compromised. However, before your account is compromised, the recovery settings must be set up. 

These are the things you can do:

• Create a PIN for logins and password changes. A PIN is critical to set up with your cellular carrier, as it’s a great defense against SIM hijacking.
• Use a two-factor security method, for example, Google Authenticator or Authy, instead of SMS-based 2FA logins. For extra security, use a hardware token to protect your accounts.
• Create and record Backup codes (some accounts use the term Grid or Recovery code, etc.) They all are one-time use recovery access for your account. These codes should be printed and stored in a safe place (fireproof safe, safe deposit box, or at least off-site).
• Use security recovery questions that are not related to your personal life. I answer the security questions with random text generated by my password manager and store them in each site’s password manager notes area.
• Don’t use your smartphone phone number from your accounts, if possible. (If a phone number is needed, use a Google Voice number for your sensitive accounts.)
• Use long, randomized, and unique passwords for each account.
• Use a secure password manager.
• Don’t use services like (Google, Facebook, Twitter, etc.) to sign in to other services; if the attacker compromises one of the services, they can access a lot more of your digital life.

You should also note account-related information that identifies you as the rightful account holder.

• When you created the account
• Previous screen names on the account
• Physical addresses associated with the account
• Credit card numbers or bank statements that show you made purchases.
• Content created by gaming accounts, such as character names, for an online video game.

Making a list of all your critical accounts will make reacting to SIM swaps or ID theft easier, as you’ll be able to quickly go through each service and change passwords, email addresses, etc. The list should be stored securely and have as a printout rather than saving it on an online service.

Cautionary Tales