The 2026 Security Checkup ⭐

I’m not big on resolutions per se, but a new year is an obvious time to take stock and make changes. And one of the things I want to do this year is have a monthly focus when possible. So it makes sense to kick things off with a focus on ensuring that our online accounts, especially those associated with identity, payment information, and other private data, are as secure as possible.

I walked myself back to this about a month ago when I started writing a new Passkeys chapter for the forthcoming 25H2 edition of the Windows 11 Field Guide. My issues getting that out the door were great enough that I actually wrote about that in From the Editor’s Desk: A Mind is a Terrible Thing ⭐. But here’s something both remarkable and troubling: I did the same thing two years earlier when I was writing about passkeys and other security-related topics for that book’s 23H2 update and went down a rabbit hole with no bottom. So I guess I’m like Sisyphus when it comes to security, doomed to repeat the events of the past over and over.

Me going through this repeatedly is partly about how my brain works: I’m a set-it-and-forget-it kind of person, and once I’ve figured out how to correctly configure things that don’t need constant monitoring or adjusting, I move on. I wish I didn’t have to keep going through this every two years, of course, but the outcome is worth the effort. Most view security as overly-complex and inconvenient, and in many cases it’s so daunting that people give up. And when it comes to security in this connected era, giving up is not the answer.

Security is a big topic, and I am inarguably not an expert. But then again, I have a lot of experience figuring this out, and I can at least communicate what I’ve learned and, as important, what I do. Yes, I make mistakes, too, but each is its own form of learning, and if my mistakes help others, too, great. I feel like I’m in a good space with this topic now. As good as I can be given my technical, but also general, focus.

As noted, this started because of passkeys. A few years ago, Microsoft added basic support for passkeys to Windows 11, and that triggered 2023/2024’s rabbit hole. This past year, it expanded that functionality with what I am calling support for external passkey managers, meaning the Microsoft Password Manager that’s integrated into Microsoft Edge and third-party passkey managers, all of which are password managers (or what should be called identity managers). To date, there are only two, 1Password and Bitwarden, but I expect others in time as well.

The ways in which one can use passkeys in Windows 11 now are legion, as we say, which explains why I ran into so many issues getting what should have been a simple and short book chapter complete over the past month. And that’s odd because a PC isn’t where most people will encounter passkeys most of the time. As a modern alternative to passwords, one that will soon be a modern replacement for passwords, passkeys are more commonly seen on mobile platforms because that’s where most of us spend the most time accessing the online accounts and services that passkeys protect.

That reality is what triggered my deeper time sucks researching and then documenting the underlying security features we see across the industry. In late 2023 and early 2024, I figured out how passkeys really work in Windows and wrote The Secret Lives of Passkeys (Premium), which is a fun history of how we got here. But more pragmatically, I also wrote about how to use passkeys with your Microsoft account (MSA) and, more broadly, how to secure your MSA for the book, and as a standalone article on the site.

Those were topics I had wanted to write about for some time: As I wrote about accounts and security in Windows 11, for the book or the site, I always wished for a “chapter 0,” or whatever, that I could reference. And now it’s there. But as I was delving into passkeys again this past month, it occurred to me that security is such a big topic that I needed another version of a “chapter 0,” or whatever. And that became the Account Security Basics chapter, which I will likely expand on before the 25H2 edition goes live. In the book, I literally link to terms in there so it can be used as a dictionary or reference.

As I wrote two years ago, security is a rabbit hole with no bottom. Every time I try to write about a specific topic, there is some foundational topic underneath that requires explanation, new terminologies and concepts. How far do you want to go?

In trying to rein this in, I see the bottom, or the basics, starting with online accounts. But there are online accounts and there are online accounts, so to speak. By which I mean, yes, I may have an account at something like Yelp because maybe they require me to, but that’s not important in the sense that there’s no personal information in there waiting to be stolen. The accounts we have that are associated with our identities, with our financial and other personal information, are important. Our MSAs, our Apple, Google, and Amazon accounts. Our banking accounts. And so on. These need to be protected.

We also use some of these accounts, like those from Apple, Google, and Microsoft, to sign in to our phones, PCs, and other devices. And so there is an associated level of concern for authenticating ourselves correctly on those devices. We need to be using whichever built-in biometric protections they provide and so forth. This is what makes Windows Hello Enhanced Sign-In Security (ESS) so important on modern PCs, or Face ID or whatever on Apple devices.

In any event, it starts with these accounts, these points of attack for hackers, and then it bubbles up from there. And when I think about the security of these accounts and about the topics I would like to cover this month, I see the following at a high level:

• Properly securing your MSA and other online accounts
• Using a password manager to manage your identity online and as a single place for your passwords, passkeys, and other personal information
• Using an authenticator app for handling second-factor verifications when possible
• Correctly securing the PCs and other devices you sign into with using one of these online accounts

And when you look at it at that level, it feels achievable. It doesn’t seem complex. But each of these topics is, in its own way, complex, and each bleeds into the others. Each has its own best practices and advice.

I wrote about securing your MSA two years ago, but I’m going to tackle it again to make sure it’s up to date. I wrote about the importance of using a third-party password manager last year, but whichever password (and passkey) manager you use needs to be used correctly, meaning you should remove all duplicate passwords and remove all the passwords from other password managers you used to use too (among other things). Plus, there’s a conversation to be had about keeping authenticator app functionality separate from password and passkey management. And so on.

In short, it’s time for a check-up of sorts. This is the type of thing we should all review on some schedule. Perhaps annually. Perhaps even more frequently. Whatever the timeframe, I will start with the basics of securing our online accounts. And then we’ll see where this takes us. Please let me know if there are specific topics you think should be part of this.