Here’s a New Year’s Resolution that everyone should embrace: It’s time to take control of your online identity, which is comprised of multiple accounts of varying importance.
Note: In the future, I will look much more closely at the Microsoft Account (MSA) that is at the center of so many of our digital lives, and perhaps at other top-level online accounts such as those provided by Apple and Google.
There was a ton of great feedback to my post Resolving to Revisit the Fundamentals in 2017. But the topic that really stood out, to me at least, was a repeated call for online identity management.
And that’s because we all have multiple online accounts, with their associated passwords and other security features. And because these accounts hold our precious personal data—photos, banking records and credit card information, other personal documents, and more—properly managing and protecting these accounts—collectively, your online identity—is quite important.
In fact, this topic is so important that I did something I rarely do: I spoke with an expert in this field. In this case, my friend Sean Deuby, who is an identity technology analyst and expert and a 13-year Microsoft Directory Services MVP. The goal of this conversation was simple: How does an expert in identity management protect his own online identity?
Here’s what we discussed.
Follow modern password recommendations. As he wrote in a Semperis blog post earlier this year, Microsoft in 2016 revised its password guidance in a direction that many will find surprising. “Long-held password practices fall down in the face of modern credentials-oriented attacks,” he writes. “Further, some of these policies actually increase the ease with which passwords can be compromised and should thus be changed or abandoned altogether.” Check out that post for a nice seven-action checklist to provide maximum password-based identity protection.
Enable two-factor authentication (2FA) on all of your accounts. As I wrote previously in Tip: Protect Your Online Accounts with Two-Factor Authentication 2FA improves the security of your online account by adding a second “factor” to the authentication process used to prove that you are you. For online accounts, the first factor is always your password. And the second factor is usually a code or prompt generated by a smartphone app like Microsoft Authenticator (Android, iPhone, Windows), which both Sean and I recommend, or sent via text message to your smartphone. (Which is falling out of favor.)
Use a password manager. A good password manager will help you stop using bad (easily guessable or attacked) passwords, and it will stop you from using the same password across multiple sites. Here, Sean recommends LastPass—as do I—though there are other good choices as well. Just make sure it does all of the following: It creates and stores complex passwords, it examines your saved passwords and prevents you from using duplicates on different sites over time, it stores credit card information (for usage at e-commerce sites), and it too supports 2FA. Yes, there are user experience challenges with password managers, especially on mobile, but they are minor compared to data loss or identity theft. (And no, reports that “LastPass might have been hacked” should not deter you from using this or another service to protect yourself, Sean says. You’re using strong passwords and 2FA with LastPass, right?)
Reexamine your accounts on a regular basis. Sean and I spoke about the need to occasionally check in on your online accounts and make sure that all of the security settings are up-to-date. I suggest putting an entry in your calendar to remind you to do this: I try to do so once a quarter, and as part of this check-up, I also do things like remove devices from my Microsoft account and perform other housekeeping tasks. Since you’re reading this now, take a few minutes to sign-in to some key online accounts of your own and make sure they are adequately protected.
To be clear, each of these topics warrants future articles of their own. And as noted, I will be deep-diving into Microsoft Account management specifically as well.