Secure Login Options

TL;DR

This guide shows you how to set up secure logins without relying on third-party services (like Google or Facebook login) unless specifically needed. We’ll cover strong passwords, two-factor authentication (2FA), and passwordless methods.

1. Strong Passwords

1. Length: Aim for at least 12 characters. Longer is better!
2. Complexity: Use a mix of uppercase letters, lowercase letters, numbers, and symbols (e.g., !@#$%^&*).
3. Uniqueness: Don’t reuse passwords across different websites or services.
4. Password Managers: Consider using a password manager (like Bitwarden, 1Password, or KeePass) to generate and store strong, unique passwords for you. They make life much easier and safer.

2. Two-Factor Authentication (2FA)

2FA adds an extra layer of security by requiring a second verification method in addition to your password.

1. Authenticator Apps: These are the most secure option. Popular apps include Google Authenticator, Authy, and Microsoft Authenticator.
• When you enable 2FA, the service will provide a QR code or secret key. Scan this with your authenticator app.
• The app will generate time-based one-time passwords (TOTPs) that you enter when logging in.
2. SMS Codes: While better than nothing, SMS codes are less secure due to potential SIM swapping attacks. Avoid if possible.
3. Security Keys: Hardware security keys (like YubiKey or Google Titan Security Key) offer the highest level of protection. They plug into your computer’s USB port and require physical presence for authentication.

3. Passwordless Authentication

Passwordless methods eliminate passwords altogether, replacing them with other verification techniques.

1. Magic Links: A unique link is sent to your email address when you log in. Clicking the link automatically logs you in.
2. Passkeys (WebAuthn): This is a modern standard that uses cryptographic keys stored on your devices (phone, computer) for authentication. It’s very secure and easy to use. Most major browsers now support passkeys.
   • When setting up, you create a passkey tied to the website/service.
   • Subsequent logins are done using biometric verification (fingerprint, face ID) or your device PIN on that specific device.

4. Checking for Breaches

Regularly check if your email address has been involved in any data breaches.

• Have I Been Pwned: https://haveibeenpwned.com is a website where you can enter your email address to see if it’s been compromised in any known breaches.

5. Account Recovery Options

1. Recovery Email: Ensure your recovery email address is up-to-date and secure.
2. Security Questions: Avoid using easily guessable security questions (e.g., mother’s maiden name). If you must use them, provide misleading answers.

6. Example 2FA Setup (Google Account)

This is just an example; the steps will vary depending on the service.

1. Go to your Google Account security settings: https://myaccount.google.com/security
2. Select ‘2-Step Verification’.
3. Follow the on-screen instructions to set up 2FA using an authenticator app or other methods.