Two-factor authentication setup

WhyLabel: You cannot secure what you haven't identified, and missing a single gateway account can compromise your entire identity.

HowLabel:

• List all accounts linked to your primary email.
• Categorize them into 'Critical' (Banking, Email, Gov), 'Important' (Social Media, Shopping), and 'Casual'.
• Prioritize accounts that hold payment data or personal documents.

DoneWhenLabel: You have a written or digital list of at least 15-20 essential accounts to secure.

WhyLabel: App-based Time-based One-Time Passwords (TOTP) are significantly more secure than SMS, which is vulnerable to SIM-swapping attacks.

HowLabel:

• Download a reputable, encrypted authenticator app.
• Recommended: 'Aegis Authenticator' (Android) or 'Ente Auth' (Cross-platform) for open-source transparency.
• Enable biometrics or a PIN within the app settings immediately.

DoneWhenLabel: The app is installed, secured with a password/biometric, and ready to scan QR codes.

WhyLabel: Hardware keys provide the highest level of protection against phishing by requiring physical presence to log in.

HowLabel:

• Purchase two generic FIDO2/WebAuthn compliant security keys (one for daily use, one as a backup).
• Ensure they support the ports you use (USB-C, Lightning, or NFC for mobile).
• Keep them in a safe place until the setup phase.

DoneWhenLabel: You have two physical security keys in your possession.

WhyLabel: Your email is the 'master key'; if a hacker gains access, they can reset passwords for almost every other service you use.

HowLabel:

• Go to Security settings (e.g., Google Security, Microsoft Security, or Proton Mail settings).
• Select 'Two-Step Verification' and choose 'Security Key' or 'Authenticator App' as the primary method.
• Remove SMS/Phone number as a recovery method if the service allows it.

DoneWhenLabel: Login requires a TOTP code or hardware key, and you have downloaded the provided recovery codes.

WhyLabel: Your password manager stores all your credentials; it must be the most heavily guarded vault in your digital life.

HowLabel:

• Access settings in your password manager (e.g., Bitwarden, KeePassXC, or similar).
• Enable the strongest MFA available (Hardware Key is preferred here).
• Ensure the 'Master Password' is long (16+ characters) and unique.

DoneWhenLabel: The password manager requires a second factor every time you log in from a new device.

WhyLabel: Financial accounts are the primary target for cybercriminals seeking immediate monetary gain.

HowLabel:

• Log into each banking portal identified in your inventory.
• Look for 'Security', 'MFA', or 'Login Approval' settings.
• Use the most secure method offered (App-based push or TOTP; avoid SMS if possible).

DoneWhenLabel: All financial apps require a secondary confirmation for logins and transfers.

WhyLabel: Services like iCloud, Google Drive, or Dropbox often contain sensitive documents, IDs, and private photos.

HowLabel:

• Navigate to account security settings for your cloud provider.
• Enable TOTP or Hardware Key authentication.
• Check 'Connected Devices' and sign out of any old or unrecognized hardware.

DoneWhenLabel: Access to cloud files is protected by a second factor.

WhyLabel: Identity theft via government portals can lead to long-term legal and financial complications.

HowLabel:

• Access your national tax or social security portal.
• Enable the highest level of authentication provided (often a state-issued ID app or TOTP).
• Verify that your contact information is up to date.

DoneWhenLabel: Your government identity portal is secured with multi-factor authentication.

WhyLabel: Hijacked social media accounts are used to scam your friends and family or ruin your reputation.

HowLabel:

• Open settings on platforms like Meta, X (Twitter), LinkedIn, and Instagram.
• Navigate to 'Security' -> 'Two-Factor Authentication'.
• Scan the QR code with your Authenticator App.

DoneWhenLabel: All major social media profiles require a TOTP code for new logins.

WhyLabel: Accounts with stored credit cards (Amazon, PayPal, eBay) are high-value targets for fraudulent orders.

HowLabel:

• Go to 'Login & Security' on your shopping sites.
• Enable 2FA (TOTP preferred).
• Review and delete any old, expired credit cards stored in the accounts.

DoneWhenLabel: Shopping accounts are secured and payment methods are audited.

WhyLabel: If you lose your phone or security key, backup codes are the ONLY way to regain access without a lengthy identity verification process.

HowLabel:

• For every account where you enabled 2FA, locate the 'Recovery Codes' or 'Backup Codes' section.
• Print them out on physical paper (do not store them unencrypted on your PC).
• Place the paper in a fireproof safe or a secure physical location.

DoneWhenLabel: You have a physical folder containing recovery codes for all critical accounts.

WhyLabel: Security is a process, not a product. New vulnerabilities emerge, and old devices should be de-authorized regularly.

HowLabel:

• Create a recurring calendar event every 3 months titled 'Digital Security Review'.
• During the review: Check for unauthorized logins, update software, and ensure backup codes are still accessible.
• Verify that your Authenticator App is backed up (e.g., encrypted cloud sync or manual export).

DoneWhenLabel: A recurring reminder is set in your calendar with a checklist for the review.