Security news that informs and inspires

SEARCH

Guide to Securing Your Online Accounts

By Mark Loveless

Remember, while we are looking at account recovery, we also need to look at general security used to protect the account. If attackers can just bypass basic controls and access your account, does it matter whether they can abuse the account recovery? Not really. Here is a list of recommended security settings for the 12 popular services we looked at.

The settings information provided below are accurate as of February 2018.

Gmail

On https://myaccount.google.com, the options are listed under the “Sign-in & security” section. You can also get to this section by clicking on the profile icon on the upper right corner of your Google screen and clicking on the My Account button.

  1. Register a phone number and a secondary email address
  2. Enable “two-step verification” on the account, such as a Security Key stored in a FIDO U2F device (preferred), or Google Prompt
  3. Set up an authenticator app
  4. Download “backup codes” for offline authentication and recovery

Yahoo

On https://login.yahoo.com/account/security turn on the following recommended settings:

  1. Register a phone number and a secondary email address
  2. Enable “two-step verification” using SMS messages. We’d prefer something more secure than SMS for 2FA, but SMS is far better than no 2FA at all.

Live.com

On https://account.live.com/proofs/Manage turn on the following recommended settings:

  1. Register a phone number and a secondary email address
  2. Enable “two-step verification” via SMS messages
Logos of online services and websites that offer account recovery features, including Amazon, Facebook, and LinkedIn

Facebook

Turn on the following recommended settings under the security section on https://www.facebook.com/settings?tab=security:

  1. Register a phone number and secondary email address
  2. Enable “two-step authentication” and add a Security Key in a FIDO U2F device (preferred), or set up two-factor-authentication using SMS messages.
  3. Set up authenticator app using the Code Generator
  4. Download “recovery codes” for offline authentication and recovery
  5. Send codes to three to five friends in case of needed account recovery

Twitter

On https://twitter.com/settings/account, look for the security settings under the menu choice “Account.” Turn on the following recommended settings:

  1. Register a phone number and secondary email address
  2. Enable “login verification” which is what Twitter calls their two-factor offering. It enables 2FA via SMS messages.
  3. Set up generator app
  4. Download a “backup code” for offline authentication and recovery

LinkedIn

Security settings are located in two places. Overall account security settings such as adding a phone number for password resets are on https://www.linkedin.com/psettings/account and options for enabling two-factor authentication are on the bottom of https://www.linkedin.com/psettings/privacy. Turn on the following recommended settings:

  1. Register a phone number and a secondary email address
  2. Enable “two-step verification” for 2FA SMS
  3. Ensure account information matches your government-issued ID3. Set up an authenticator app
  4. Download “backup codes” for offline authentication and recovery

Github

GitHub’s various options are explained on https://help.github.com/categories/authenticating-to-github/ and is a great place to start. Turn on the following recommended settings:

  1. Register a phone number and a secondary email address
  2. Register secondary phone for account recovery
  3. Enable “two-factor authentication” and: store the Security Key in a FIDO U2F device (preferred) or use 2FA SMS
  4. Download “backup codes” for offline authentication and recovery
  5. Set up authenticator app

Reddit

Look for the “password/email” option in the top menu on https://www.reddit.com/prefs/update/. Turn on the following recommended options:

Apple ID

On https://appleid.apple.com/account/manage turn on the following recommended settings:

  1. Register a phone number and a secondary email address
  2. Enable “two-factor authentication” for 2FA SMS
  3. Download “recovery key” for account recovery

Amazon

On https://www.amazon.com/gp/css/homepage.html/ref=nav_youraccount_ya, click on “Login & Security” to turn on the following recommended settings:

  1. Register a phone number
  2. Under the Advanced Security Settings, enable “two-step verification” for 2FA SMS
  3. Set up authenticator appSet up 2FA, which is based on a Time-based One-Time Password issued via an authenticator app. Once 2FA is enabled, you can download “backup codes” for offline authentication and recovery

Coinbase

On https://www.coinbase.com/settings/security_settings turn on the following recommended settings:

  1. Register a phone number as well as a secondary phone number
  2. Enable “two-step verification” for 2FA SMS
  3. Change 2FA to authenticator app, recording private seed in a secure location
  4. Ensure account information matches your government-issued ID

Kraken

The password settings are on https://www.kraken.com/u/security. The link is not accessible directly (the “error message” said this was a security precaution)--so login to Kraken first, and then navigate to the security page. Click on “Two-Factor Authentication” to get to the remainder of the settings Turn on the following recommended settings:

  1. Register a phone number as well as a secondary phone number
  2. Enable “two-factor authentication” and use a FIDO U2F device and on screen instructions for each function except for the Master Key
  3. Set up authenticator app
  4. Set up a Master Key, and store it offline in a safe place for recovery
  5. Set up a separate password for the two-factor authentication for the Master Key, and store it in a safe place
  6. Enable two factor on the other actions - Account Login, Trading, and Funding
Labs Research Account Security