editione1.0.0
Updated October 9, 2023I have a few email accounts; this is the burden of an IT nerd. So when going through these steps, I have to perform them for a few different accounts. I have one main personal account, one (very old) backup account that is nearly old enough to drive, and three work accounts. Here is how I work on protecting those:
For my personal account, I use four (!) layers of authentication. I stay logged in on the main devices I use every day, so I rarely have to assemble the four keys like in some dramatic rocket launch sequence. One layer is a physical hardware security key, the second is a backup physical hardware security key, and the third is a mobile device push notification, and the final is an obnoxiously long password.
My backup personal account, which I use for account recovery for my primary account, is protected by a similar four layers. I use this for any career-related accounts or subscriptions, but nowadays it is mostly there as a backup account so my main personal email doesn’t rely on a work email for account recovery.
My work accounts all use 2FA, using either push notifications or one-time password apps on my phone.
Once a year, when doing spring cleaning or avoiding writing that report I have been putting off, I will review the third-party apps and services each of those accounts use. It is helpful that the email providers for each of those accounts will also prompt me to check every now and again.
I store my passwords and backup codes in the respective personal or work password managers.
confusion Sometimes talking about my own personal security, I feel it might put off others into thinking security is too hard or too onerous. Remember that the context of how I secure my own email is slightly different to yours. As long as you follow the five steps above to protect your email accounts, you are certainly doing enough.