Passkeys and MFA
Modern account attacks increasingly bypass weak passwords, SMS codes, and push approvals by tricking people into handing over tokens or approving prompts. Prefer passkeys and hardware-backed authenticators wherever they are available, keep recovery paths clean, and treat every login prompt as a sensitive action.
0 out of 8 (0%) complete, 0 ignored
| Done? | Advice | Level | Details |
|---|---|---|---|
Impact: HighEffort: Medium | Essential | Enable passkeys on your primary email, password manager, banking, cloud, developer, and social accounts where supported. Passkeys use public-key authentication bound to the real service, which makes ordinary credential phishing much harder than with passwords or SMS codes. | |
Impact: HighEffort: Low | Essential | A passkey reduces password use, but many services still keep password login or recovery available. Keep a strong unique password in your password manager until the service lets you fully remove password login. | |
Impact: HighEffort: Medium | Essential | Enroll at least two passkeys or security keys for critical accounts: one daily-use method and one backup stored safely. Test both after enrollment so a lost phone, laptop, or key does not become an account lockout. | |
Impact: HighEffort: Medium | Recommended | For accounts that protect money, infrastructure, identity, or sensitive files, consider FIDO2/WebAuthn security keys. They are especially useful for email, password manager, cloud admin, domain registrar, and developer accounts. | |
Impact: MediumEffort: Low | Recommended | SMS and email codes are better than no second factor, but they are more exposed to SIM swaps, mailbox compromise, interception, and social engineering. Prefer passkeys, security keys, or app-based authenticator codes. | |
Impact: HighEffort: Low | Essential | Some phishing attacks ask you to enter a device code on a real Microsoft, Google, or similar login page. Only enter device codes for a login you personally started on a device in front of you. | |
Impact: MediumEffort: Low | Recommended | Check active sessions and signed-in devices for your most important accounts. Remove devices you do not recognize, revoke old app passwords, and sign out sessions from lost, sold, or shared devices. | |
Impact: MediumEffort: Medium | Optional | Keep a private note of which accounts use passkeys, security keys, authenticator apps, recovery emails, and backup codes. Do not store secrets in the note; store the map so you know what to rotate after a lost phone or suspected compromise. |