Account Security Basics (25H2)

Security is a complex topic, so this short chapter provides a dictionary-like overview of the often confusing terminology and related concepts you’ll encounter as we discuss online accounts and security throughout this book.

Account. An account is a digital identity that you use to access a system like a PC, an online service, or a website.

Online account. An online account is an account you create on a remote system, like an online service or website, while online (connected to the Internet).

Username. An account has an associated username. For an online account, this is typically an email address.

Password. An account can also have an associated password, a string of characters known only to the account holder that’s used to authenticate that person and verify that they are the account holder. For online accounts, a password and/or other forms of authentication (as discussed below) are mandatory.

Sign in. To authenticate yourself, you sign in to an account using the username and a password and/or other forms of authentication. When you successfully sign in to an account, you gain access to whatever data it may contain and rights it provides.

The problem with passwords. Passwords are insecure. They can be easily guessed, and malicious actors use social engineering in the form of phishing attacks to impersonate a legitimate person, business, or other entity to fool you into revealing your password or other personal information.

Identity theft. If a malicious actor obtains your username and password, they gain access to the information contained by, and the rights associated with, that account. They can then steal that information or use it to impersonate you in what’s called identity theft.

Accounts associated with your identity need more scrutiny. Hacking and identity theft are particularly problematic for online accounts like those provided by Amazon, Apple, Google, and Microsoft because they often contain credit card numbers, shipping addresses, and other deeply personal information.

Multi-factor authentication (MFA). To prevent this type of crime, security organizations invented an additional layer of account protection called multi-factor authentication (MFA). The most common form of MFA requires a password and a second form of authentication (identity verification), and so you will typically see it described as two-factor authentication (2FA) or two-step authentication.

Why MFA works. The second authentication method you use with an MFA-protected account will be something you know (a PIN, a one-time password or other code, the answer to a secret question, and so on), something you have (a phone or a hardware security key), and/or something you are (a biometric sign-in provided by your PC, phone, or other device, like facial or fingerprint recognition).

Common forms of MFA include:

• One-time password (OTP). This is a code that is sent to you via a text message, email message, phone call, or other means. Text message is the most common, but it’s also the least secure because text messages can be intercepted by hackers and other malicious actors.
• Authenticator app. You can install an authenticator app on your phone to generate time-based one-time passcodes or trigger a push notification when you attempt to sign in to an online account. These apps can also be protected by whatever device security you have on your phone, requiring you to use a PIN or biometric authentication.
• Passkey. This is a credential stored on a phone, PC, or other device, or in a passkey management service, typically called a password manager. Passkeys stored on a device are called device-bound passkeys, while those stored in a password manager are portable because you can access that service (and the passwords and passkeys it stores) on any device. Passkeys are the most secure form of MFA because they are phishing resistant, impervious to data breaches, and require the use of the PIN or biometric authentication method you configured on that device.

Be vigilant. You should protect your online accounts with whatever MFA methods each supports. A passkey is best, but authenticator app-based notifications and codes are also good, followed by getting a one-time password via email, which is better than using a text message.

The more the merrier. You should also protect your online accounts with multiple ways to verify your identity. For example, you might configure an account to send one-time passwords to one or more email addresses, send a text message to your phone number, send a sign-in notification to an authenticator app, and save a passkey in a password manager.

Use a password manager. You should use a password manager to store passwords and passkeys. Ideally, this is a third-party password manager not associated with a web browser or OS. But the primary goal is portability: This password manager needs to be available on whatever phones, PCs, and tablets you use.

Passwordless. You can enable a passwordless sign-in experience for accounts in which you only need to enter your username (email address) and then engage in whatever MFA method you prefer to identify yourself and gain access to that account. When doing so, you will typically be required to verify your identity using the PIN or biometric authentication method you configured on that device.

Remove the password from (some) online accounts. Some online accounts, including the Microsoft account (MSA), even allow you to remove your password from the account. This may seem scary, but it’s the most secure configuration, assuming that you have correctly enabled multiple MFA methods.