Security part 1 - Email sign-in

For a good guide to online security, read the Cyber Aware “top tips”.

I needed to break down some of the steps. Here are my own (somewhat longer) notes. If you need more help with the Cyber Aware tips, you might find these useful.

• Your email sign-in
• Avoid locking yourself out
  • Using your mobile number as a security contact
  • Using a passkey to sign in
  • Writing down your password (and other details)
  • Practice your email sign-in
  • Find the security settings for your email account
• Protect your email account
  • Option 1: Two-step verification
    • 1. iCloud Mail / Apple account
    • 2. Gmail / Google account
    • 3. Outlook.com / Microsoft account
  • Option 2: Use a strong and separate password
• Next steps

Your email sign-in

Cyber Aware starts with your email account.

Your email is important. It can be used to reset passwords on many other apps and websites. Your messages also contain personal info.

Avoid locking yourself out

Security is a balancing act. You want to stop criminals from signing in to your email account. At the same time, you don’t want to lock yourself out.

To start with, let’s look at making it easier to sign in – and harder to get locked out.

Your email provider may automatically suggest one or more options, as described below. These suggestions are usually shown when you sign in on a new device, or on the website for your email provider.

Using your mobile number as a security contact

Apple and Google accounts want to use your mobile number, as a security contact. This is very helpful for signing in.

These accounts will confirm what your mobile number is used for, before you enter it. You can read the screen, and control how they use your number.

For example, an Android phone may have asked to use your number for Google adverts. However, as Google explain, this is a separate option in your account.

You can add a security contact in your Google account, without changing advertising settings. Equally, when you turn off personalised ads, it does not remove your Google security contact(s). It is safe to add your mobile number as a Google “recovery phone”, and for “two-step verification”.

Using a passkey to sign in

Some online accounts want you to sign in using your fingerprint, face, or lock screen PIN.

This method unlocks a passkey, which is saved on your device. You can save a passkey on more than one device.

Passkeys are a newer, more secure way to sign in. You can only use a passkey on the genuine website (or app) that it was saved for. This protects you from fake sign-in pages, which try to steal your account.

Adding a passkey does not remove other sign-in options. For an important account, it is best to add as many options as possible to verify your identity.

Apple and Android devices make it easy to save passkeys. They also back up passkeys to your Apple or Google account – encrypted using your lock screen PIN. Passkeys can be synchronized between Apple devices, or between Android and other devices using Google Chrome.

At this point in the process, we don’t need to save passkeys on other devices. Other devices might need an extra step to set up, or might not support passkeys at all.

Writing down your password (and other details)

Keep track of each sign-in detail. For example:

• the email address, which you sign in with.
• your current password – or the safe place where you recorded it – or a clue to help you remember.
• the mobile number linked to the account (if any).
• the device(s) you have saved a passkey on.

Grab a pen and paper! You can write down what you use, at the same time as we work through and confirm each sign-in detail. Or you can print my email recovery sheet, and fill in your details.

Keep your recovery sheet in a safe place. I keep mine next to my passport.

Practice your email sign-in

Now sign in on the website:

1. Open your web browser.

2. Open the website for your email provider.

3. Tap “Sign in” or “Log in”, and follow the instructions.

If you are already signed in, do not sign yourself out. Instead, practice your sign-in by opening a private browsing session. Search how to use private browsing on your device and web browser. For example:

• Microsoft Edge (Windows PC)
• Apple Safari (iPhone)
• Google Chrome
• Mozilla Firefox (laptop or desktop)

If you do not have your original security info, go through the sign-in process and look for options to reset your password and/or recover your account.

Confirm each sign-in detail you use on your recovery sheet (above).

Does this process invite you to add a mobile number? Or save a passkey on your Apple or Android device?

If you need to, you can practice the sign-in process more than once. When you want to try it again, sign out of your private browsing tabs, and close all of your private windows or private tabs first.

When you use a new private browsing session, your email provider will not remember your device. You may be asked for extra security information.

Find the security settings for your email account

When you are signed in to the website, you can manage the settings for your email account. In the account settings, there should be a section for security. The security section is where you can change your password, and/or other sign-in options.

Have you added a mobile number (and/or a passkey)? Is it possible to add one to your email account?

If you’re not sure, we can find your options using the help pages, or a search engine.

Protect your email account

Now you have access to your security settings. Let’s look at protections for your specific account.

Option 1: Two-step verification

Two-step verification is a key feature of the accounts below. If your email account is not listed here, please skip down to option 2 instead.

1. iCloud Mail  /  Apple account
2. Gmail  /  Google account
3. Outlook.com  /  Microsoft account

These accounts rely heavily on a mobile phone. They might also be able to use another signed-in device.

We should have a recovery plan, for when your phone is lost or broken.

1. iCloud Mail / Apple account

Apple accounts are protected using two-factor authentication (2FA). This is required on all new accounts, and to use various Apple features.

When you sign in on a new device, you need to verify using one of your registered Apple devices, or a registered phone number, as well as your password.

You can add multiple Apple devices and phone numbers. For example, you can add an iPad, a Macbook, and a landline phone number.

Note that an iPad or iPhone can only be linked to one Apple account.

If you lose access to all your “trusted” devices and phone numbers, you will need to recover your account. This takes longer – it could be a week or two.

Once you understand how account recovery will work, make sure you have two-factor authentication turned on. It will be much harder for criminals to steal your account.

Apple have several help pages for security, and recovery. These are linked as references in my notes here: Avoid getting locked out of your Apple account or iCloud

2. Gmail / Google account

Google likes to automatically change your account to “2-Step Verification” (2SV). When you sign in on a new device, 2SV requires your registered phone, as well as your password. Or you might use a passkey saved on your phone.

When you lose your phone, how will you sign in on a new device? What can you use as a backup?

Even if 2-Step Verification is turned off, Google requires a “second step” whenever they decide a sign-in attempt is “suspicious”. The best approach is to work out a recovery plan, and then make sure 2-Step Verification is turned on.

• Google Help: Turn on 2-Step Verification

• Google Help: Avoid getting locked out of your Google Account

• My notes: Avoid getting locked out of your Google account or Gmail

3. Outlook.com / Microsoft account

In order to turn on two-step verification for Microsoft account, you need an alternative contact method.

Contact info is also required to use various basic security features.

As of 2026, Microsoft tell you to add a “verified email”, which is separate from your Outlook.com account. They are phasing out the use of phone numbers.

Microsoft already removed the official method to update your phone number. For the moment, you may be able to use your current mobile number, as one of your backup methods.

• Reference: Microsoft to stop sending SMS codes for personal accounts

• My notes: Do Microsoft accounts require a recovery email address or a mobile number?

What can you use as your recovery email address?

You could create a new Gmail account, for free. Or, you can add a Gmail address to an existing Google account. Many people already have a Google account, e.g. because they use an Android phone.

If you use an iPhone, you could create an iCloud Mail address.

Once you have an alternative email address you can add, or to verify your current contact info, see:

• Microsoft account security info & verification codes

Now the simplest way to proceed is to go back to the beginning, and secure your other email account.

In the steps after that, we can create recovery and security plans for a password manager, passkeys, etc. This will make it simpler to manage all your accounts, passwords, and options for two-step verification.

If you have made your recovery plans now, there are two options to secure your Microsoft account:

1. Cyber Aware says to turn on two-step verification, following the Microsoft guide:

   How to use two-step verification with your Microsoft account - Microsoft Support

2. Microsoft says you could “increase the security of your account by removing your password and signing in with a passwordless method instead.”

   If your sign-in settings currently show a password, you will need to install the Microsoft Authenticator app on your phone, before you can go passwordless:

   How to go passwordless with your Microsoft account - Microsoft Support

Either option would be a great improvement, because they reduce the risk of stolen passwords.

If you use both options, you will need to take extra care. It will make it harder to sign in, and easier to get locked out.

If your recovery plan relies heavily on a mobile number, you should ask your mobile carrier what you will need to recover the phone number, before you lose your phone.

Option 2: Use a strong and separate password

If you have turned on two-step verification for your email, skip this section. We can set up a secure password manager first, and then set a new email password.

If your email is not protected by two-step verification, we should think about your password now.

Most people have used the same password for more than one thing. This is a problem. Surprisingly often, one of the less secure websites or apps gets hacked, and leaks everyone’s password.

At this point, you have successfully signed in. You should have a sheet with your sign-in details written on it.

If you used the same password for other accounts, change it now. It should be different from any other password. It should not be easy to guess, e.g. from personal information.

Cyber Aware recommends: use three random words.

Remember to record the new password! Keep your email recovery sheet up to date.

Ultimately, you should use a secure password manager (and/or passkeys!). Even then, an email recovery sheet is still very useful, as an independent backup. Many other accounts will let you sign in (or help recover) using your email.

This option completes the Cyber Aware tip: Use a strong and separate password for your email.

Next steps

• Security part 2 - Your device

• Security part 3 - Manage your passwords

• Cyber Aware top tips - Backing up your data