The Personal Infosec & Security Checklist
Doing the basics goes a long way in keeping your personal accounts secure. This first1 edition, started July 2021, of the Personal Infosec & Security Checklist provides actionable security best practices anyone can use to harden their security posture. This list is far from exhaustive, incomplete by nature since the security you need depends on your risks and threats.
For example, if you use Google, turn on “Advanced Protection” which mandates the use of hardware MFA keys only among a slew of other security sensitive settings.
Use MFA/2FA everywhere possible. Prefer to use a hardware device over an authenticator app. Hardware devices are now supported across a wide variety of services such as Dropbox, GitLab, Epic Games, Coinbase, domain registrars, cloud providers and so on. Only use a reputable authenticator app such as Google Authenticator or Authy. If possible, do not use SMS as an account recovery or for MFA/2FA (see SIM takeover precautions below.) Be sure to enable MFA/2FA everywhere — not just some limited set of accounts or services, this helps prevent lateral account takeovers that might not be immediately obvious. Use multiple devices or methods as a backup in case the primary device is lost or destroyed. Safely keep generated backup codes.
Many services require a phone # when signing up which then gets used as an account recovery mechanism. Given how prevalent SIM takeover attacks continue to persist, many services now offer the ability to disable using phone/SMS as an account recovery channel. Be sure to keep recovery codes and linked accounts used for recovery secure as well.
