MG Cloud Security Card
v3.0 · 2026-06
Personal Security Card

Pick your mode

Two modes, one bookmark. Pick the one that fits your situation right now. Your choice is saved — future visits go straight to that mode (you can switch anytime via the top bar).

Prevention & hardening mode

Set things up before something happens.

The modern playbook: passkeys everywhere supported, password manager as backstop for legacy sites, endpoint hygiene as co-equal with auth, browser compartmentalization to limit blast radius. Based on NIST SP 800-63B Rev 4 (July 2025), NCSC UK, CISA, EFF, and platform-vendor guidance.

🎯 The headline message (it's different from older guides)

Goal: zero passwords on every account that supports passkeys. Password + 2FA was the playbook for 2015-2022. The current playbook is passkey-first.

Use passkeys on Google, Microsoft, Apple, GitHub, Discord, your bank — every site that supports them. Use unique manager-generated passwords + strongest 2FA only as a fallback for sites that don't support passkeys yet (and that gap is shrinking fast).

⚠ The threat model that obsoletes older advice

Strong password + 2FA is no longer enough. Infostealer malware exfiltrates session cookies and bypasses 2FA entirely by riding your already-authenticated session. Endpoint hygiene (don't run untrusted software, browser compartmentalization, DNS filtering) is now co-equal with auth hygiene.

P1 — 5-minute baseline

Do these today, everyone

5-15 min

Sequential. Each step has expandable inline help where there's genuine nuance -- no scrolling away to find context for what you're working on.

Step 1 -- Know your exposure
  • Check HaveIBeenPwned for every email you use
    Free tool. Tells you which past breaches included your email and what data was exposed.
    haveibeenpwned.com
    What do I do if my email shows up?

    Don't panic. Most adult emails are in 5-30 breaches by now -- Collection #1, Exploit.In, LinkedIn 2012, Adobe 2013, gaming-era stuff. What matters is the data exposed, not the breach count.

    HIBP shows a "Compromised data" line per breach. Triage by THAT:

    PW change fixes Attacker logs into the breached service as you Change password on that site, or close the account if you don't use it.
    PW change alone doesn't fix Credential stuffing -- leaked password tried on your OTHER accounts Unique passwords everywhere (step 2 below). Then Pwned Passwords check on current passwords (step 1b).
    Doesn't fix Your CURRENT password is in a recent aggregation dump (e.g. Synthient 2025) You don't know until you check. Run Pwned Passwords (step 1b). Any hit -- burn that password immediately.
    PII can't be un-leaked Leaked PII (name, address, DOB, phone, partial CC) used for phishing or SIM-swap Awareness (assume phishers may know these). Carrier account PIN (P6). Credit freeze with all 3 bureaus if SSN was in scope.
    Doesn't fix The email itself is the recovery anchor for everything else Do the full P2 email hardening below -- passkey, recovery info, OAuth + filter + forwarding audit.

    Bottom line: the breaches themselves are historical. Whether you're exposed TODAY is answered by working through this whole P1 list.

  • Run Pwned Passwords on your actual current passwords
    Different check from #1. Enter a password you use TODAY -- tells you if that exact password has appeared in any breach corpus. Uses k-anonymity: only the first 5 chars of the SHA-1 hash are sent. Your actual password never leaves your machine.
    haveibeenpwned.com/Passwords
    What if one of my current passwords IS in the database?

    That password is burned forever. Even if you've never reused it, attackers' credential-stuffing wordlists include it now -- the moment any service it works on gets attacked, your account is one tried-password away from compromise.

    Action:

    • Change it on every site where you use it. Don't rely on memory -- run Google Password Checkup or your manager's audit feature; it'll enumerate every site.
    • Replace with a manager-generated 20+ character random string. Don't pick a "stronger version" of the same pattern -- attackers run dictionary attacks against common patterns.
    • Never reuse that password (or close variants) again.

    If your password manager MASTER password is in the list: change the master immediately. The individual unique passwords the manager generated for sites are still safe -- they were never derived from the master.

    Check at minimum: primary email, password manager master, primary bank, anything financial. Highest-blast-radius accounts first.

  • Subscribe to HIBP notifications
    Free. You get an email any time your address shows up in a future breach. Long-term equivalent of doing the email check above on autopilot.
    haveibeenpwned.com/NotifyMe
Step 2 -- Password manager (or audit yours)
  • Pick a password manager -- or verify the one you have is set up right
    Single biggest security upgrade for most people. Unique strong password per site, automatic breach detection, cross-device sync.
    Which manager? Do I need a dedicated one?

    Short answer: not necessarily. For most consumers, the built-in option (Google Password Manager / Apple Passwords) is fine.

    Google Password Manager (built into Chrome) if: you live in Chrome + Android (or Chrome + iPhone). Already there, syncs automatically, breach detection, stores passkeys. Verify:

    • Signed in to Chrome with sync ON
    • Password Checkup enabled at passwords.google.com/checkup
    • Your Google account itself has strong unique password + passkey + 2FA -- your manager is only as secure as the account holding it

    Apple Passwords / iCloud Keychain if: you live in Safari + iPhone. Same logic -- built-in, free, just works.

    Bitwarden (free) or 1Password (paid) if: Firefox/Safari heavy, family sharing needed, you want zero-knowledge encryption without the Google PM recovery cliff, or you need to store SSH/API keys + secure notes. Bitwarden is open-source and zero-knowledge by default.

    The biggest security win is using ANY manager vs reusing passwords. Native-vs-dedicated is a secondary optimization.

    One thing NOT to enable by default -- Google PM on-device encryption

    Google Password Manager has an optional "on-device encryption" toggle. For typical consumers, don't enable it. Once on, it can't be turned off.

    If you forget your Google password AND lose access to all signed-in devices, your saved passwords are unrecoverable -- Google has no recovery-contact mechanism like Apple's ADP.

    Enable only if you have a threat model that requires zero-knowledge AND you accept the lockout risk. Otherwise leave it off.

Step 3 -- Vendor security checkups
  • Run Google Security Checkup
    Covers devices, 2FA, third-party apps, sign-in activity. Includes Password Checkup -- automated version of step 1b for every password saved in Google.
    myaccount.google.com/security-checkup
  • Run Microsoft Security Overview (if you have a Microsoft account)
    Hub for password, sign-in activity, security info. Microsoft is passwordless-by-default for new consumer accounts since May 2025.
    account.microsoft.com/security
Step 4 -- The single highest-leverage action
  • Set up a passkey on your primary email today
    Phishing-resistant. Replaces password + 2FA in one step. Sign in with Face ID / Touch ID / Windows Hello. Even if your password leaks tomorrow, attacker can't use it without your physical device.
    Google passkeys Microsoft Security
    What's a passkey -- is it different from 2FA?

    A passkey replaces your password AND your 2FA with a single phishing-resistant credential bound to your device.

    When you sign in, your device unlocks the passkey with biometrics (Face ID / Touch ID / Windows Hello) or your device PIN. The cryptographic proof never crosses the network -- the site only sees a one-time signed challenge.

    Why it beats password + 2FA:

    • Can't be phished -- the passkey only works on the real domain. A fake login page can't even ask for it correctly.
    • Can't be leaked in a breach -- the site only stores your public key. The private key never leaves your device.
    • Can't be guessed or brute-forced -- 256-bit ECDSA key, not a string of characters.
    • Syncs to your other devices via Google/Apple/Microsoft's E2E-encrypted vault, or stays device-bound if you prefer.

    This is why the modern goal is passkey-everywhere. Passwords + 2FA become the legacy fallback for sites that don't support passkeys yet.

P2 — High-value accounts

Do FIRST — email, identity, password manager, money

30-90 min

Tier-1 accounts. Compromise here cascades to everything else. Email is the recovery anchor for every password reset. Apple ID controls all your Apple devices + iCloud. Your password manager holds the keys to the kingdom. Banking + brokerage + crypto can't be recovered the way a social account can. Work top-to-bottom. Each chip opens its own hardening checklist with direct links to security settings.

▶ Tier 2 -- Banking + Brokerage
All major US banks support 2FA (FFIEC mandate since 2005). But quality varies WILDLY. Most consumer banks (Chase, Wells Fargo, Citi, Capital One) are still SMS-only -- no authenticator app, no hardware key. Bank of America is the only big bank with FIDO2 hardware key support (YubiKey). Brokerages are better: Fidelity supports TOTP; Vanguard supports FIDO U2F; Schwab still uses proprietary Symantec VIP. Open each chip for what's actually available.
▶ Tier 3 -- Crypto Exchanges + Wallets
No FDIC. No fraud reversal. SIM-swap is the dominant theft vector for crypto holders. NO SMS 2FA on a crypto account -- ever. Hardware key strongly preferred; authenticator app is the floor. For meaningful holdings, self-custody on a hardware wallet (Ledger / Trezor) is the real defense.

Google / Gmail — prevention

▶ START HERE

Google Security Checkup

One-stop review of devices, 2-Step Verification, saved passwords (breach check), and third-party app access. Run this first — it covers most of the items below.

Run Security Checkup ↗
Passkey-first (the modern goal)
Critical — even if you set up a passkey
Important — recovery surface
Recommended — if you're a high-value target
  • Enroll in Google Advanced Protection Program (APP)
    Free. Requires passkey or hardware key. Blocks most third-party app access by default, makes recovery harder for attackers (harder for you too), more aggressive sign-in challenges. Krebs specifically recommends for crypto holders, journalists, activists.
    g.co/advancedprotection

Microsoft (Outlook.com / Xbox consumer) — prevention

▶ START HERE

Microsoft Security Overview

Hub for password, sign-in activity, advanced security options, and security info. Microsoft is now passwordless-by-default for new accounts (May 2025) — existing users should consider going passwordless too.

Open Security Overview ↗
Passkey-first
  • Set up a passkey on Microsoft
    Microsoft is passwordless-by-default for new consumer accounts since May 2025. You can go fully passwordless on existing accounts too (delete your password after passkey is set up).
    account.microsoft.com → Security → Advanced
Critical
Important — recovery + persistence audit

Apple ID -- prevention

▶ START HERE

account.apple.com → Sign-In and Security

Hub for 2FA, trusted phone numbers, Recovery Contacts, Recovery Key, and app-specific passwords. Apple ID is the master account for every Apple device + iCloud -- compromise here = compromise of your phone, computer, photos, files, Apple Cash.

Open Apple ID account ↗
Passkey-first
  • Passkeys are built into iCloud Keychain
    If you're signed in to iCloud on an Apple device, passkeys work natively for any site that supports them -- no separate setup beyond Face ID / Touch ID. Apple ID itself doesn't yet use a passkey for its own sign-in; the device trust + 2FA is the mechanism.
Critical -- set recovery options BEFORE you need them
Important -- optional Recovery Key
  • Consider a Recovery Key (read warning first)
    28-character key you generate and store. Fastest recovery path. BUT: if you set this up and lose it, Apple cannot recover your account -- by design. Set up ONLY if you'll reliably store it (password manager + physical safe).
    Why is the Recovery Key so risky?

    When you enable Recovery Key, Apple's standard recovery process (which uses your trusted phone numbers + multi-day verification) is DISABLED. The Recovery Key becomes the only recovery path that doesn't require a trusted device you're already signed into.

    If you lose all your trusted devices AND lose/forget your Recovery Key, your Apple ID is permanently locked. Apple has no override.

    Recommendation: store the Recovery Key in TWO places -- password manager entry + printed copy in a physical safe. Don't enable unless you have both.

  • Audit app-specific passwords -- revoke any you don't recognize
    App-specific passwords let third-party apps (older email clients, etc.) connect to iCloud. Each is a side-channel. If you don't use any, revoke all.
    account.apple.com → App-Specific Passwords
Recommended -- Advanced Data Protection
  • Enable Apple Advanced Data Protection (ADP)
    Prerequisite: Recovery Contact AND/OR Recovery Key must be set up first -- Apple's UI enforces this. ADP end-to-end encrypts ~14 iCloud categories (Photos, Notes, Backup, etc.). Apple cannot decrypt -- including for subpoenas. EFF and Wirecutter recommend enabling, with the recovery warning.
    Apple Support → ADP setup

Bitwarden -- prevention

▶ START HERE

vault.bitwarden.com → Settings → Security → Two-step Login

Bitwarden is zero-knowledge -- they cannot decrypt your vault. There is no "forgot master password" recovery. Lose the master password = lose the vault. Free tier supports authenticator app + email 2FA; Premium ($10/year) adds YubiKey FIDO2 + Duo.

Open Two-step Login ↗
Critical
  • Enable Two-step Login -- authenticator app (free tier)
    Free tier: Authenticator app (TOTP) or email. Premium adds YubiKey FIDO2/U2F + Duo. Authenticator app is the practical baseline -- email 2FA is a fallback at best.
    vault.bitwarden.com → Two-step Login
  • Master password: 14+ chars, never used anywhere else
    There is NO recovery if you forget the master password. Bitwarden cannot decrypt your vault. Use a passphrase you can actually remember (4-5 random words is stronger than a short complex string and easier to recall).
  • Save your Two-step Recovery Code
    Settings → Security → Two-step Login → "View Recovery Code." Store offline -- printed in a safe AND/OR shared with a trusted family member. Without it, losing your 2FA device locks you out.
    vault.bitwarden.com → Two-step Login
Important

1Password -- prevention

▶ START HERE

my.1password.com → Profile → Security

1Password has a unique recovery design: your account requires BOTH a master password AND a 34-character Secret Key. Both are required to sign in on any new device. Lose either, lose the vault. This is why printing + safeguarding the Emergency Kit is non-negotiable.

Open 1Password account ↗
Critical
  • Enable Two-Factor Authentication (authenticator app OR security key)
    Profile → Sign In and Recovery → Two-Factor Authentication. Supports authenticator app (TOTP) OR YubiKey / FIDO2 security key. Security key strongly preferred if you have one.
    my.1password.com → Security
  • Print + safeguard the Emergency Kit (master password + Secret Key + QR)
    Generated automatically on signup. Contains your sign-in address, email, Secret Key, and a space to write your master password. Print, store in a safe. Both Secret Key AND master password are required to recover -- lose either, lose the vault.
    support.1password.com/emergency-kit
  • Master password: 14+ chars, never reused
    No "forgot master password" path. The Secret Key (also unrecoverable from 1Password) is added entropy layered on top, but isn't a substitute for a strong master.
Important

Chase -- prevention

▶ START HERE

secure.chase.com -- Profile and settings -- Security and privacy -- 2-Step verification

No deep-linkable 2FA page. Sign in first, then navigate.

Chase security guide ↗

Chase 2FA reality

  • Supported: SMS / email / phone call one-time codes only
  • NOT supported: TOTP authenticator app, FIDO2 hardware key
  • Passkeys exist for sign-in (rolled out 2024-2025) -- they replace your password but aren't a true second factor
  • This is below current best-practice for 2FA. Carrier PIN (P6) is the meaningful defense against SIM-swap.
Critical
  • Enable 2-Step verification (add SMS + email for redundancy)
    Sign in -- Profile and settings -- Security and privacy -- 2-Step verification.
  • Set up a Chase passkey for sign-in (replaces password)
  • Set carrier account PIN (P6) -- the actual defense for SMS-only banks
    Call carrier (611), require PIN for account changes. SIM-swap is the documented attack path for SMS bank 2FA.
  • Enable transaction + sign-in alerts (push or SMS)
    Alerts on every charge mean fraud surfaces within minutes.

Bank of America -- prevention

▶ START HERE

secure.bankofamerica.com -- Profile and Settings -- Security settings -- Manage SafePass

BofA is the only big US bank with FIDO2 hardware key support for consumers. Take advantage.

BofA security features guide ↗

BofA 2FA reality (the strongest of the big banks)

  • Supported: SafePass (SMS OTP), SafePass Card, FIDO2 USB security key (YubiKey, etc.)
  • FIDO2 originally introduced for "Secured Transfer" (high-risk transfers) -- now usable for sign-in too. Can enroll 2 YubiKeys.
  • NOT supported: TOTP authenticator app
Critical
  • Enable SafePass (SMS) as baseline
    Sign in -- Profile and Settings -- Manage SafePass.
  • Add a YubiKey (FIDO2 / USB security key) -- this is the upgrade
    Enroll 2 YubiKeys (primary + backup). Phishing-resistant, SIM-swap-proof, doesn't depend on your phone.
  • Set carrier PIN (P6) as backup for SafePass SMS fallback
  • Enable transaction + sign-in alerts

Wells Fargo -- prevention

▶ START HERE

wellsfargo.com -- Security Center -- Two-Step Verification at Sign-on

WF calls it "Advanced Access." No deep-linkable 2FA URL -- sign in first.

WF Advanced Access guide ↗

Wells Fargo 2FA reality

  • Supported: Push notification (WF Mobile app), SMS, email, phone call, RSA SecurID hardware token (paid, proprietary)
  • NOT supported: TOTP authenticator app, FIDO2 / YubiKey (consumer accounts)
  • WF Mobile push is the best free option -- preferable to SMS for SIM-swap resistance
Critical
  • Install WF Mobile app + enable push notification 2FA (over SMS)
  • Set carrier PIN (P6) -- SIM-swap defense if SMS is fallback
  • Enable transaction + sign-on alerts

Citi -- prevention

▶ START HERE

online.citi.com -- Profile -- Security Center

Citi's consumer 2FA is essentially SMS-only with no toggle to disable it -- they send OTPs based on risk signals.

Citi MFA guide ↗

Citi 2FA reality

  • Supported: SMS, email, voice call ("Citi Identification Code")
  • NOT supported: TOTP, FIDO2, hardware keys
  • Risk-based -- you can't turn it on/off, Citi triggers based on their signals
  • Below modern best-practice. Carrier PIN + alerts are your defense.
Critical
  • Verify phone + email on file in Security Center
  • Set carrier PIN (P6) -- the actual SIM-swap defense
  • Enable transaction + sign-in alerts

Capital One -- prevention

▶ START HERE

Capital One mobile app -- Profile -- Security -- Verification Method

Push from the mobile app is preferred. Passkey support for sign-in rolled out 2025.

Capital One mobile verification guide ↗

Capital One 2FA reality

  • Supported: Mobile App push notification (preferred), SMS, email, voice. Passkey for sign-in (2025+).
  • NOT supported: TOTP authenticator app, FIDO2 / YubiKey
  • Risk-based prompting (not always on at every login) -- some users criticize this as not "true 2FA"
Critical
  • Install Capital One app + enable push notification verification
  • Set up Capital One passkey for sign-in
  • Carrier PIN (P6) + transaction alerts

Fidelity -- prevention

▶ START HERE

fidelity.com -- Profile -- Security Center -- Multi-Factor Authentication

Fidelity added TOTP authenticator support in 2024-2025. Enable from the mobile app first, then it works on web.

Fidelity 2FA guide ↗

Fidelity 2FA reality (recently improved)

  • Supported: TOTP authenticator app (added 2024-2025 -- Google Authenticator, Microsoft Authenticator, Duo, 1Password, iOS Passwords), SMS, voice. Legacy Symantec VIP still works for existing users.
  • NOT supported: FIDO2 / YubiKey (Fidelity Security Center confirms this)
  • Authenticator app enrollment must start in the mobile app -- you can't add it on web first
Critical
  • Enable TOTP authenticator app (from Fidelity mobile app first)
    Strongest 2FA Fidelity offers. Drops SMS-as-primary entirely.
  • Set strong unique password (manager-generated)
  • Enable transaction + trade confirmation alerts

Charles Schwab -- prevention

▶ START HERE

client.schwab.com -- Profile -- Security Center -- Two-step verification

Schwab uses Symantec VIP exclusively for app-based 2FA -- no standard TOTP.

Schwab 2FA help ↗

Schwab 2FA reality (Symantec VIP holdout)

  • Supported: Symantec VIP (mobile app OR physical token), Schwab Mobile push, SMS
  • NOT supported: Standard TOTP (Google Authenticator etc.)
  • YubiKey workaround: load the Symantec VIP credential onto a YubiKey via Yubico Authenticator -- this is a workaround, NOT official Schwab FIDO2 support
Critical
  • Install Symantec VIP Access mobile app + enroll
    It's annoying but it's what Schwab requires for app-based 2FA.
  • Strong unique password + transaction alerts

Vanguard -- prevention

▶ START HERE

investor.vanguard.com -- My Profile -- Security -- Security Key

Vanguard supports FIDO U2F hardware keys (YubiKey). Must enable SMS first, then add key, then can remove SMS.

Vanguard trust + security ↗

Vanguard 2FA reality (FIDO U2F, the old standard)

  • Supported: SMS/voice (required first), FIDO U2F hardware security key (YubiKey), Vanguard mobile app biometrics
  • Uses older FIDO U2F (not newer FIDO2/WebAuthn passkey flow), but still phishing-resistant
  • NOT supported: TOTP authenticator app
  • Setup quirk: enable SMS first to bootstrap, add YubiKey, THEN remove SMS for phishing resistance
Critical
  • Enable SMS 2FA to bootstrap
  • Add a YubiKey (FIDO U2F) -- this is the real upgrade
    Then optionally remove SMS for max phishing resistance.
  • Strong unique password + transaction alerts

Robinhood -- prevention

▶ START HERE

Robinhood app -- profile icon -- menu -- Security and Privacy -- Two-Factor Authentication

Setup is mobile-app only. TOTP authenticator is the practical baseline; passkey support is iOS-only.

Robinhood security best practices ↗

Robinhood 2FA reality

  • Supported: TOTP authenticator app, SMS, Passkeys (iOS 16+ only)
  • Hardware key (YubiKey) support referenced in some help articles but not a clearly first-party documented flow for consumer Robinhood
  • Passkey is iOS-only -- Android users use TOTP
Critical
  • Enable TOTP authenticator (Google Authenticator, Authy, 2FAS, etc.)
    App -- Profile -- menu -- Security and Privacy -- Two-Factor Authentication. NOT SMS.
  • iOS user? Add a passkey on top of TOTP
  • Strong unique password + carrier PIN (P6)

Other bank or brokerage -- prevention

▶ START HERE

Sign in to your bank's website (type the URL directly -- never via search)

All major US banks/brokerages support some form of 2FA (FFIEC mandate since 2005). Quality varies wildly -- many regional banks are even worse than the SMS-only big banks. Find what's available and use it.

How to find your bank's 2FA
  • Sign in to your bank's main site -- TYPE the URL directly, don't search
    Bank-impersonation phishing dominates search ads. Always type or bookmark.
  • Navigate: Profile / Account / Settings -- look for Security / Security Center
  • Find: Two-Factor / Two-Step / Multi-Factor / "Advanced Security"
    If you can't find it: search the bank's help center for "2FA" / "two-step" / "MFA". If your bank truly doesn't offer 2FA at all in 2026, switch banks.
  • Enable strongest method offered: hardware key > mobile-app push > TOTP > SMS
  • Set carrier PIN (P6) regardless of which 2FA method you use
  • Enable transaction + login alerts -- push or SMS, every charge

Coinbase -- prevention

▶ START HERE

coinbase.com/settings/security

Coinbase officially recommends moving off SMS due to SIM-swap risk. Use a hardware key or passkey.

Open Coinbase security ↗

Coinbase 2FA reality (strong by exchange standards)

  • Supported: TOTP authenticator app, FIDO2/U2F security key (YubiKey), Passkeys, SMS (least recommended)
  • Security key works on desktop AND mobile browsers (WebAuthn)
  • Address allowlist available (whitelist withdrawal addresses)
Critical
  • Enable security key (YubiKey) OR passkey -- NOT SMS
    Coinbase 2FA setup guide
  • If you must use TOTP, NOT SMS -- and back up the QR/secret
  • Whitelist withdrawal addresses (Address Allowlisting)
    Limits where funds can be sent. Attacker can't drain to their own wallet without first whitelisting it (and the new address has a 48-hour hold).
  • Carrier PIN (P6) -- SIM-swap is the dominant crypto-theft vector

Kraken -- prevention

▶ START HERE

kraken.com -- profile icon -- Settings -- Security

Kraken intentionally does NOT support SMS 2FA. Per-function 2FA toggles (Sign-in, Master key, Funding, Trading) -- you can require stronger 2FA for withdrawals than sign-in.

Kraken 2FA guide ↗

Kraken 2FA reality (strongest of the big exchanges)

  • Supported: Passkey (FIDO2/WebAuthn -- including hardware keys), TOTP authenticator app
  • NOT supported (intentionally): SMS
  • Per-function 2FA: separate factors for Sign-in / Master Key / Funding / Trading
  • YubiKey OTP (legacy) deprecated in favor of FIDO2 -- use FIDO2 mode
Critical
  • Enable passkey (FIDO2 hardware key) for Sign-in
  • Set up Master Key (separate password for sensitive ops)
    Required for some account-level changes. Adds a separate compromise barrier.
  • Enable per-function 2FA for Funding + Trading
  • Whitelist withdrawal addresses

Binance.US -- prevention

▶ START HERE

binance.us -- Account -- Security -- 2FA

Hardware key requires enabling TOTP or SMS first. At least one 2FA method is required.

Open Binance.US security ↗

Binance.US 2FA reality

  • Supported: TOTP authenticator app, SMS, FIDO2 security key (YubiKey, Titan)
  • Security key "only supported on select devices and browsers" -- enable TOTP first, add key as upgrade
Critical
  • Enable TOTP authenticator app (NOT SMS)
  • Add FIDO2 hardware key on top of TOTP if available on your browser
  • Whitelist withdrawal addresses + enable anti-phishing code
  • Carrier PIN (P6)

Hardware wallet (Ledger / Trezor) -- prevention

⚠ This isn't a 2FA setup -- it's a different category entirely

A hardware wallet replaces hot wallets (MetaMask, Phantom) AND exchange custody with cold storage. Private keys never touch an internet-connected device. For any meaningful crypto holdings, this is the actual defense -- 2FA on an exchange doesn't help if the exchange is hacked or if you lose the account.

Critical -- if you hold significant crypto
  • Buy direct from the manufacturer -- never Amazon, eBay, or third-party sellers
    Tampered devices have shipped with pre-recorded seed phrases that drain wallets hours after first use.
    shop.ledger.com shop.trezor.io
  • Initialize the device yourself -- generate a NEW 24-word seed
    If the device arrives pre-initialized OR with a "recovery sheet" already filled in, it's tampered. Return it.
  • Seed phrase: NEVER digital. Steel backup, in a safe.
    No photo. No iCloud Notes. No password manager entry. Write on paper for testing, then transfer to a steel plate (Cryptosteel, Billfodl, etc.) for long-term storage. Steel survives fire/water; paper doesn't.
  • NEVER share your seed -- including with "Ledger/Trezor support"
    Legitimate support will NEVER ask for your seed. Every "verify your seed" prompt via email/Discord/website is a scam. Ledger had a 2020 data breach exposing customer emails -- expect targeted phishing forever.
  • Always verify the receive address ON-DEVICE (not just the app screen)
    Address-swapping malware modifies what your computer displays. The hardware wallet screen shows the actual address being signed.
P3 — Other platforms

Hardening for the rest of your accounts

15-45 min

Lower-tier accounts (the long tail). Apple ID + master identities moved up to P2. Social platforms are the active-scam vector; gaming/dev accounts are valuable to attackers; cloud / domain / gov / productivity / shopping are the remaining surface area. Work top-to-bottom.

▶ Tier 3 — Social (active scam vector)
Discord especially — attackers pivot to friend lists within minutes. Instagram/X high-follower accounts get drained for crypto-scam posts.
▶ Tier 4 — Developer & gaming
GitHub PATs survive password change (supply-chain risk). Gaming accounts: items resold within hours, but trade-hold windows give recovery time if you act fast.

Discord — prevention

Discord-specific context

  • Discord tokens (session credentials) are the prime target. Token-grabber malware bypasses both password and 2FA. The only defense is not running malware in the first place.
  • Discord doesn't yet have native FIDO2 passkey support for consumers (as of mid-2026 — verify before assuming).
  • "Discord Staff will never DM you." Anyone DMing you about your account is a scammer.
Critical
  • Enable 2FA via authenticator app (TOTP — not SMS)
    Settings → My Account → Two-Factor Authentication. Use Authy / Google Authenticator / 2FAS. Save backup codes in your password manager.
  • Set a strong unique password (manager-generated)
Important
  • Audit Authorized Apps + Connections quarterly
    Settings → Authorized Apps and Settings → Connections. Remove unknown OAuth integrations and platform links.
  • Never run executables sent via Discord
    Discord is the dominant info-stealer delivery channel. "Free Nitro" / "free mod" / "Steam gift" links lead to token-grabbers that drain everything.

Instagram (Meta) — prevention

▶ START HERE

Meta Accounts Center → Password & Security

Unified hub for Instagram + Facebook + Threads. Password, 2FA, login activity, OAuth grants all in one place.

Open Accounts Center ↗
Critical
Important

Twitter / X — prevention

X-specific context

  • Authenticator app + security keys require X Premium ($8+/mo). SMS 2FA is free.
  • Connected apps (OAuth) can keep tweeting after password rotation — audit regularly.
Critical
Important

GitHub — prevention

GitHub-specific context

  • Mandatory 2FA since March 2023 for everyone who contributes code.
  • Personal Access Tokens (PATs), SSH keys, OAuth grants all survive password change. Audit regularly.
  • GitHub's own docs recommend TOTP-primary + passkey-backup; modern hierarchy (NIST/FIDO) recommends passkey-primary. Use passkey-primary.
Passkey-first
Critical
Important

Steam — prevention

Steam-specific context

  • The Steam Mobile Authenticator is non-negotiable for any account with items / market value. It activates the trade-hold window that lets you reverse hijacked trades.
  • Steam Web API key is the silent persistence vector — audit regularly.
Critical
  • Install Steam Mobile Authenticator
    Activates 0-3 day trade hold window. Without it, items can be traded out instantly by an attacker.
    store.steampowered.com/mobile
  • Strong unique password
Important

Battle.net (Blizzard) — prevention

Battle.net-specific context

  • SMS Protect is the critical hardening. Without it, an attacker can instantly remove your Authenticator. With it, removal requires SMS approval.
Critical
P4 — Browser compartmentalization

Limit blast radius with separate profiles

10 min

Different browser profiles isolate cookies, extensions, and saved logins. A compromised "casual" profile shouldn't expose your banking session. This is the highest-leverage low-effort defense against the modern threat (session cookie theft).

⚠ Honest framing: practitioner consensus, not in government standards yet

NIST, CISA, and NCSC don't formally recommend browser compartmentalization in their consumer guidance. The security practitioner community strongly recommends it. Standards bodies move slowly; the practical security benefit against modern threats is clear.

Browser profiles are NOT a sandbox — malware running on your OS sees all profiles. Profile separation reduces blast radius from compromised SITES, not from compromised devices.

The 3-profile pattern (community consensus)

  1. Profile A — "Trust" (or use a separate browser entirely for these): banking, brokerage, primary email, password manager web access. Minimal extensions. No casual browsing.
  2. Profile B — "Daily": shopping, social, normal browsing. Ad blocker installed.
  3. Profile C — "Casual" (optional): gaming, Discord, sketchy/experimental sites. Treated as throwaway.

Distinct colors and avatars for each profile so you visually know which one you're in. Chrome: Settings → You and Google → Manage profiles.

🔒 For high-value users: dedicated banking device

The strongest form of compartmentalization is hardware separation. A cheap dedicated laptop / iPad / Chromebook used ONLY for banking + investment / crypto — no other browsing, no email, no chat, no random apps. Practitioner consensus for executives, crypto holders, or anyone with significant financial accounts.

P5 — Endpoint hygiene

Co-equal with auth in the modern threat model

15-20 min

No 2FA — including passkeys — protects you if malware on your device exfiltrates an active session cookie. Endpoint hygiene is now co-equal with auth hygiene.

🛑 The single highest-impact behavioral rule

Don't run software you didn't deliberately go looking for. Infostealers reach users overwhelmingly via:

  • Cracked/pirated software ("free Photoshop")
  • Fake browser updates / fake CAPTCHAs ("ClickFix" pattern — paste this into your terminal)
  • YouTube tutorial videos linking to "tools"
  • Game cheats and "free mods" / Minecraft / Roblox tools
  • Malvertised search results for popular software
  • Discord links from "friends" (often compromised accounts)
  • "Free Nitro" / "free crypto" / giveaway links

Krebs' rule for "support" calls: Hang up, look up the official number yourself, call back. Scammers spoof Google / Apple / Microsoft "support" and trigger real recovery prompts on your account.

P6 — Advanced / high-paranoia

For elevated threat profiles

1-3 hours

Optional. For users with elevated targeting risk: executives, journalists, activists, public figures, crypto holders, sysadmins, anyone whose account compromise has outsized consequences.

P7 — Ongoing maintenance

Cadence for staying current

Security posture decays without maintenance. These cadences keep you current without becoming a full-time job.

Monthly (5 min)

  • Review active sessions on Google, Microsoft, primary banking
  • HaveIBeenPwned check for your emails
  • Sign out anything unrecognized on critical accounts
  • Browser extension audit (chrome://extensions etc.)

Quarterly (20 min)

  • Run Google Security Checkup
  • Audit OAuth grants on every major platform
  • Audit Discord Authorized Apps + Connections
  • Audit GitHub PATs, SSH keys, OAuth (if applicable)
  • Verify backup codes are still saved + readable
  • Audit Gmail filters + forwarding rules

Annually (1 hr)

  • Verify Recovery Contacts are still current (Apple, password manager Emergency Access)
  • Rotate hardware key registrations if you have multiple keys
  • Review whether new platforms you use have added passkey support
  • Refresh backup codes (regenerate, print, store)
  • Re-verify recovery email + recovery phone work

Event-triggered

  • After international travel — review sign-in activity for unfamiliar IPs
  • After losing a device — revoke its sessions everywhere
  • After any "new login from X" alert — verify it's you
  • After a friend in your circles gets hacked — increased vigilance period
  • After breach notification (HIBP or platform alert) — rotate affected credentials
P8 — Outdated advice to avoid

If a guide tells you to do these, it's pre-2023 thinking

The standards have changed (NIST SP 800-63B Rev 4, July 2025). Most pre-2023 consumer security guides are partially obsolete.

Outdated adviceCurrent authoritative positionSource
Change your password every 60/90 daysRotate only on suspected compromise. Forced rotation drives users to predictable variants.NIST 800-63B-4
Use uppercase + lowercase + number + symbolComposition rules PROHIBITED. Length beats complexity. 15+ chars where possible.NIST 800-63B-4
SMS 2FA is fine for important accountsSMS is "restricted" — should be paired with risk evaluation. Outdated for high-value. SIM-swap is mainstream.NIST 800-63B-4, NCSC
Strong password + 2FA = you're safeNo longer sufficient. Session-cookie theft via infostealer bypasses both. Endpoint hygiene now required.Multiple 2024-2025 infostealer reports; Krebs
Just use Google Authenticator (with default sync)Default cloud sync turns one compromise into total compromise. Disable sync or use non-syncing alt.Krebs on Security 2024
Security questions add protectionEffectively static passwords. Answers often public via social media. Most modern services have dropped them.NIST 800-63B since ~2017
Don't write down passwordsA written password in a safe is dramatically better than reuse. Password managers replace the need.NCSC has explicitly contradicted this for years
Memorize one strong password and reuse itUnique per account is non-negotiable. Use a manager.CISA Secure Our World
You only need MFA on important accountsReused-password attacks weaponize less-important accounts. MFA everywhere it's offered.CISA
Your antivirus catches malwareOptimistic. Modern infostealers evade AV for hours-to-days. Behavioral discipline ("don't run unknown EXEs") is the actual defense.Infostealer reports 2024-2025
Enable Google PM on-device encryptionFor typical consumers, don't. No recovery contact mechanism — if you forget Google password AND lose all signed-in devices, passwords are unrecoverable.Synthesis from EFF, NCSC silence + Google's own warning
Emergency response mode

Stop. Breathe. Use a clean device.

Work the platforms in priority order. Email FIRST (recovery anchor). Each platform has two branches: "I can log in" (lock-down checklist) or "I'm locked out" (recovery flow).

🛑 Read this first

If the device you're on right now might have malware (downloaded something sketchy, ran a suspicious file, accounts started acting weird) — do NOT use it for recovery. Grab your phone, a friend's laptop, anything else. Changing passwords on a still-infected machine just feeds your new passwords to the attacker.

⏱ Why minutes matter

An attacker who got your session cookie via malware is already logged in as you. Reading your email, changing your recovery info, adding silent forwarding rules. Every minute you wait, the damage spreads.

How to use this card (consensus order across security sources)

  1. Email FIRST — locked-out recovery OR lockdown (it's the recovery anchor)
  2. Other platforms in priority tier order (identity → social → gaming/dev)
  3. Universal cleanup — endpoint, browser, SIM, reverse-lookup
  4. Blast-radius — rotate other passwords in order
  5. Warn social graph — pre-canned templates
  6. Report — FTC, IC3, bank, credit bureaus
Priority 1 — Email

Do FIRST — recovery anchor for everything else

3-10 min

Google / Gmail

Google-specific quirks

  • Changing your password does NOT auto-revoke sessions. Do both.
  • App passwords (16-char) survive password changes. Revoke any you didn't create.
  • Gmail filters can silently delete or forward security alerts.
▶ START HERE

Google Security Checkup

One-stop review. Covers ~70% of the checklist below.

Run Security Checkup ↗
Critical
Important — persistence cleanup

Microsoft (Outlook.com / OneDrive / Xbox)

Microsoft-specific quirks

  • "Sign me out everywhere" takes UP TO 24 HOURS and excludes Xbox.
  • App passwords + inbox rules survive password change.
Critical
Important
Other platforms — priority tiers

Work top-to-bottom after email is locked

10-20 min
▶ Tier 2 — Identity
Apple ID controls iPhone/iPad/Mac + iCloud.
▶ Tier 3 — Social (active scam vector)
Attackers pivot to friend lists within minutes. Discord especially.
▶ Tier 4 — Developer & gaming
GitHub PATs survive password change. Gaming items resold fast.

Apple ID / iCloud

Apple-specific quirks

  • Multi-day recovery wait, cannot be shortened. Recovery Key (if you have one) skips the wait.
  • Password change prompts "Sign Out Other Devices" — affirmatively click it.
Critical
Important
  • Revoke all app-specific passwords
  • Regenerate Recovery Key (if you use one)

Discord

Discord-specific quirks

  • 🚨 48-HOUR EMAIL REVERSAL WINDOW: if attacker changed your email, Discord emailed your ORIGINAL inbox with a recovery button. Only legit URL: discord.com/wasntme/.
  • After 48h: 2-3 week support ticket. Don't submit duplicates.
Critical
  • Log out all devices (Settings → Devices)
  • Change password (Settings → My Account)
Important
  • Regenerate 2FA + backup codes
  • Audit Authorized Apps + Connections

Instagram

Critical

Twitter / X

Critical

GitHub

GitHub-specific

  • 🚨 PATs / SSH keys / OAuth apps all survive password change. Revoke all separately.
Critical

Steam

Steam-specific

  • 🚨 Steam Web API key is the main persistence vector. Revoke if you didn't create it.
  • Trade hold windows: 3-day (no Mobile Auth) / 15-day (new device).
Critical

Battle.net (Blizzard)

Battle.net-specific

  • 🚨 Enable SMS Protect immediately — blocks authenticator removal.
  • WoW characters can be ROLLED BACK. Submit ticket.
Critical

Path of Exile

PoE-specific (worst recovery UX)

  • No native 2FA for standalone accounts. Steam-linked accounts inherit Steam Guard.
  • No sessions UI. No anti-hijack trade hold.
Critical
Universal cleanup

Endpoint, browser, SIM, reverse-lookup

7-10 min
Blast-radius cleanup

Rotate other passwords in priority order

11-13 min
Warn your social graph

Pre-canned warning templates

14-15 min

After lockdown + cleanup. Use a DIFFERENT channel than the compromised one.

Discord — post in servers / mass DM
PSA: my Discord was compromised earlier today. If you received any DMs from me with crypto offers, "free Nitro," giveaway links, or any external links in the last [TIME PERIOD] — DO NOT CLICK. Those were the attacker, not me. I've secured the account. Sorry for the spam.
Social — Story or post
Heads up — my [Instagram / X] was compromised. If you saw any crypto/investment posts or weird DMs from my account in the last [TIME PERIOD], those weren't from me. I've recovered the account.
Email contacts (high-value)
Subject: My email was compromised — please disregard any unusual messages

Hi,

My email was compromised on [DATE/TIME]. If you received requests for money, urgent requests for sensitive info, or unusual attachments from my address in the last [TIME PERIOD], please disregard. If you took action based on a recent message from me, contact me via [phone/other channel] to verify.
Report

Emergency contacts

When stable
FTC Identity Theft (US)
identitytheft.gov
SAVE the PDF before closing.
FBI IC3
ic3.gov
UK Action Fraud
reportfraud.police.uk
Or 0300 123 2040. Scotland: 101.
Equifax Credit Freeze
1-800-685-1111
Experian Credit Freeze
1-888-397-3742
TransUnion Credit Freeze
1-888-909-8872
Your Bank Fraud Line
📞 number on back of card
SSA online (US)
ssa.gov/myaccount
What the attacker is doing right now

The post-compromise playbook

  • DMing your contacts with crypto / "free Nitro" / scam links
  • Reading your email for banking, crypto, password-reset paths
  • Setting up email forwarding rules to keep seeing your mail
  • Changing your recovery email + phone to lock you out
  • Removing your 2FA / adding theirs
  • Listing Steam / Discord items on third-party markets
  • Draining browser-extension crypto wallets
  • Selling credentials on Telegram / dark web markets

MFA did not help if it was an infostealer — they rode your live session.

After the dust settles

Next 24-48 hours

Now that the dust has settled — set up prevention

Switch to prevention mode to harden everything you just rebuilt. Set up passkeys, harden endpoint, compartmentalize browsers. So this doesn't happen again.