Practical money news for everyday Americans

The Money Front

Social Security · Medicare · Taxes · Banking · Cost of Living

Two-Factor Logins: Which Accounts to Lock Down First

A person holding a smartphone
A person using a smartphone. Photo: Océanos y dados / Wikimedia Commons (CC0).

Your password is probably already out there. Between years of data breaches and phishing campaigns, it is safest to assume that at least one password you use has been exposed, copied and offered for sale. What stands between a leaked password and a drained account is often one thing: a second login step that a thief cannot complete.

That second step is multifactor authentication, usually shortened to MFA or called two-factor login. The Cybersecurity and Infrastructure Security Agency, the federal government’s civilian cyber defense agency, urges everyone to turn on MFA for every account that offers it, because even a compromised password is not enough for an intruder who cannot supply the code, app approval or fingerprint the account demands. The practical question for a busy person is not whether to do it but where to start. Here is a sensible order of operations.

Start with email: it is the master key

If a criminal controls your email, they can reset the password on nearly everything else you own, because “forgot password” links land in your inbox. CISA’s guidance specifically recommends checking whether your email accounts, banks and healthcare providers offer MFA and enabling it as a default. The agency’s More than a Password campaign makes the same point: accounts are linked, and one weak entry point can cascade into all the others. Lock the inbox first and every later step gets stronger.

Then the money: banks, cards, retirement and tax accounts

Next come the accounts where a takeover costs actual dollars: bank and credit union logins, credit card portals, brokerage and retirement accounts, payment apps, and your IRS online account. CISA lists banking information and online purchases among the things MFA protects, and financial institutions almost universally offer at least a text-message code. While you are in the settings, make sure the phone number and recovery email on file are current, since those channels are how the second factor reaches you.

Then everything that can impersonate you

Social media and shopping accounts rank third, not because they hold money but because they hold your identity. A hijacked social account becomes a tool for scamming your friends and family; a hijacked shopping account has your card on file and your address. CISA’s consumer guidance tells the story of exactly that chain reaction: one compromised email led to fake posts, changed passwords and unauthorized purchases across linked accounts. Enable MFA on any account that stores a payment method or that people would trust messages from.

Pick the strongest second factor you will actually use

MFA comes in several forms, and CISA describes the common options: a numeric code sent by text or email, an authenticator app that generates a fresh code every 30 seconds, and biometrics such as a fingerprint or face scan. Any of them is far better than a password alone. Among them, authenticator apps and physical security keys resist more attacks than text messages, since a texted code can be phished or intercepted, which is why CISA points users who want the strongest protection toward phishing-resistant MFA. The rule of thumb: use the app or a key where offered, and use text codes where that is all the account supports.

Turning it on is rarely more than a few minutes per account. The setting typically lives under Account Settings or Settings and Privacy, under a name like two-factor authentication or two-step verification. Do a handful of accounts per evening and the whole list is done within a week.

Know the one trick that beats MFA

MFA fails mostly when the owner is talked into defeating it. A scammer who already has your password will trigger a login and then call or text you, posing as your bank, asking you to read back the code that just arrived. Never share a login code with anyone, no matter who they claim to be; the code is the key, and the only party who ever needs it is the login screen in front of you. The same discipline applies to unexpected push notifications asking you to approve a sign-in you did not attempt: deny them, then change that password. CISA’s companion guidance on recognizing and reporting phishing covers the warning signs.

A 30-minute weekend project

Here is the whole plan in one list. First, turn on MFA for your primary email account today, using an authenticator app if offered. Second, do your bank, card, retirement and tax accounts. Third, do social media and any store that keeps a card on file. Fourth, prefer app-based codes or security keys over text where you have the choice. Fifth, treat any request to share a code as a scam, full stop.

None of this requires technical skill, new hardware or money. It is configuration, not wizardry, and it converts the most common attack on ordinary people, the reused or stolen password, into a dead end. Few half-hour projects in personal finance protect as many dollars as this one.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *