Lockstep

  • Checklists
    • Authentication
    • Web Browsing
    • Email
    • Messaging
    • Social Media
    • Networks
    • Mobile Devices
    • Personal Computers
    • Smart Home
    • Personal Finance
    • Human Aspect
    • Physical Security
    • Passkeys and MFA
    • Account Recovery
    • Scam Defense
    • Incident Playbooks
    • Monthly Maintenance
    • Identity Protection

    Lockstep

  • Home
  • Checklists
    • Authentication
    • Web Browsing
    • Email
    • Messaging
    • Social Media
    • Networks
    • Mobile Devices
    • Personal Computers
    • Smart Home
    • Personal Finance
    • Human Aspect
    • Physical Security
    • Passkeys and MFA
    • Account Recovery
    • Scam Defense
    • Incident Playbooks
    • Monthly Maintenance
    • Identity Protection

Settings

Passkeys and MFA

Modern account attacks increasingly bypass weak passwords, SMS codes, and push approvals by tricking people into handing over tokens or approving prompts. Prefer passkeys and hardware-backed authenticators wherever they are available, keep recovery paths clean, and treat every login prompt as a sensitive action.

0 out of 8 (0%) complete, 0 ignored

Done?AdviceLevelDetails
Impact: HighEffort: Medium
Essential

Enable passkeys on your primary email, password manager, banking, cloud, developer, and social accounts where supported. Passkeys use public-key authentication bound to the real service, which makes ordinary credential phishing much harder than with passwords or SMS codes.

Impact: HighEffort: Low
Essential

A passkey reduces password use, but many services still keep password login or recovery available. Keep a strong unique password in your password manager until the service lets you fully remove password login.

Impact: HighEffort: Medium
Essential

Enroll at least two passkeys or security keys for critical accounts: one daily-use method and one backup stored safely. Test both after enrollment so a lost phone, laptop, or key does not become an account lockout.

Impact: HighEffort: Medium
Recommended

For accounts that protect money, infrastructure, identity, or sensitive files, consider FIDO2/WebAuthn security keys. They are especially useful for email, password manager, cloud admin, domain registrar, and developer accounts.

Impact: MediumEffort: Low
Recommended

SMS and email codes are better than no second factor, but they are more exposed to SIM swaps, mailbox compromise, interception, and social engineering. Prefer passkeys, security keys, or app-based authenticator codes.

Impact: HighEffort: Low
Essential

Some phishing attacks ask you to enter a device code on a real Microsoft, Google, or similar login page. Only enter device codes for a login you personally started on a device in front of you.

Impact: MediumEffort: Low
Recommended

Check active sessions and signed-in devices for your most important accounts. Remove devices you do not recognize, revoke old app passwords, and sign out sessions from lost, sold, or shared devices.

Impact: MediumEffort: Medium
Optional

Keep a private note of which accounts use passkeys, security keys, authenticator apps, recovery emails, and backup codes. Do not store secrets in the note; store the map so you know what to rotate after a lost phone or suspected compromise.