You’ve chosen a strong password and you’ve set up two-factor authentication, which requires an additional device to authenticate on log in, so your accounts are safe, right? Not so fast—all of your online accounts and apps will have recovery processes in place to help you, should you get locked out of your accounts, and it’s essential that these too are all shored up against the threat of being exposed.
In other words, your accounts are only as secure as the weakest account recovery option. If an unwelcome visitor can get in through the back door, they don’t need to bother with the locks and security cameras fixed to the door around the front. These are the most common alternative login options, and how to keep them safe.
The old favorite: Sending a reset code to your email address because you forgot your password. No one else has access to your email account, right? Or do they? Is your recovery email address an account you haven’t used for years, with a very simple password and outdated security? If so, you might be in trouble.
Make sure your recovery email address can’t be accessed from any computers and devices you’re not actively using (most email accounts will let you do a global sign out of every device at once). It’s also worth double-checking that no one has set up forwarding or filtering rules in your inbox without your knowledge—often designed to pass on account reset links before you get a chance to see them.
Used by Google and others, backup codes let you get back into your account if your other login methods should fail—you can simply enter them as a password, which means so can anyone else who comes across them. Do not write them down on a piece of paper on your desk. Do not print them out. Do not store them as temporary drafts in another email account that could be easily accessed (see above).
Fair enough, it’s not easy to remember a dozen or so backup codes, but if you must make a note of them, at least make sure that note is secure: Locked away in a safe, for example, or inside a different app that you know is going to be well protected (such as a password manager or digital vault). They have to be kept somewhere you can access with relative ease but that everyone else stays locked out of.
One of the best protections against unauthorized access, and used by Facebook among others, is specifying some trusted friends who can let you back into your account. Short of kidnapping three or four of your friends and family and holding them against their will, it’s hard for someone else to get around it.
However, it does mean your friends need to be on their guard against attempts to impersonate you, and they need to keep their own accounts well protected. In the case of Facebook, several verification checks are in place to counter this (you need to actually call your trusted contacts to get their help, for example), but it’s still worth picking contacts with a lot of tech savviness to spare and making sure they know what they’re doing.
Apps and sites will often ask for a phone number that can be used for account recovery codes sent over SMS or an automated phone call, so it’s imperative that your number stays current and well-protected. Look out for unusual activity on your mobile account, like unexpected support requests or reset messages, and if you do get a code sent to your phone, make sure no one else knows it.
On top of that, if you do change your phone number or get a new SIM, make sure the old one is destroyed and that your details are updated inside your apps—please don’t leave your old account recovery number in a phone you’ve sold on eBay. It may seem like common sense but it does happen.
Another popular fall-back when it comes to getting back into an account are security questions, but like anything else these need some thought and consideration. Don’t pick questions and answers that other people can easily guess—like the name of your pet, a name which also happens to be plastered all over your Twitter and Instagram.
Details like your previous addresses, the middle names of your relatives, and even your first school aren’t always too difficult to find out by someone who has malicious motives. If you have to pick from a pre-approved list of security questions, look for ones that relate to information that’s not in the public domain and that’s impossible to guess.
The good news is that the big sites and apps are getting better at detecting suspicious activity and making sure you can get back into your account without too much trouble. For example, Google can recognize when you’re on the browsers and devices you usually use and when you aren’t. It also remembers your passwords, so if your current one has been changed you can help to prove your identity by entering an older one.
Not every account is going to be as well-protected as your Google one though—and as we’ve already explained, accounts with weak security that get compromised can be used as a route into your bigger, more important accounts. Take a few moments to review your account recovery options, and one day you might be glad you did.