Security part 1 - Email sign-in

For a good guide to online security, read the Cyber Aware “top tips”.

I needed to break down some of the steps. Here are my own (much longer) notes. If you need more help with the Cyber Aware tips, you might find these useful.

• Sign in to your email
• Avoid locking yourself out
  • Using your mobile number as a security contact
  • Using a passkey to sign in
  • Make a recovery sheet for your email
  • Practice your email sign-in
  • Find the security settings for your email account
• Protect your email account
  • Option 1: Two-step verification accounts
    • 1. iCloud Mail / Apple account
    • 2. Gmail / Google account
    • 3. Outlook.com / Microsoft account
  • Option 2: Use a strong and separate password
• Next steps

Sign in to your email

Cyber Aware starts with your email account.

Your email account can be used to reset other passwords, for many apps and websites. Your messages also contain personal info.

Avoid locking yourself out

Security is a balancing act. You want to stop criminals from signing in to your email account. At the same time, you don’t want to lock yourself out.

To start with, let’s look at making it easier to sign in - and harder to get locked out.

Your email sign-in may automatically recommend one or more options, as listed below. This would usually happen when you sign in on a new device, or on the website for your email provider.

Using your mobile number as a security contact

Google, Microsoft, and Apple accounts want to use your mobile number, as a security contact. This is very helpful for signing in.

These accounts will confirm what your mobile number is used for, before you enter it. You can read the screen, and control your information.

For example, you might remember your Android phone asking to use your number for Google adverts. However, Google explain this is a separate option in your account.[*]

[*] When you say no to personalised ads, it does not remove your Google security contact(s). Equally, Google does not silently change advertising settings when you add a security contact. It is safe to add your mobile number as a Google “recovery phone”, and for “two-step verification”.

Using a passkey to sign in

Some online accounts may want you to sign in using your fingerprint, face, or lock screen PIN.

This method unlocks a passkey, which is saved on your device. You can save a passkey on more than one device.

Passkeys are a newer, more secure way to sign in. You can only use a passkey on the genuine website (or app) that it was saved for. This protects you from fake sign-in pages, which try to steal your account.

A passkey adds a new option to sign in with. If your account has a password, you can still use the password to sign in, when your passkey is not available.

Certain devices, particularly Apple or Android, might require you to create an online account in order to save passkeys. Your passkey will be stored securely. When you lose your devices, passkeys may be harder to recover, e.g. compared to your email account.

Make a recovery sheet for your email

Keep track of each sign-in detail. For example:

• the email address, which you sign in with
• your current password - or the safe place where you recorded it - or a clue to help you remember.
• the mobile number linked to the account (if any)
• the device(s) you have saved a passkey on

Grab a pen and paper! You can write down what you use, at the same time as we work through and confirm each sign-in detail. Or you can print my email recovery sheet, and fill in your details.

Keep your recovery sheet in a safe place. I keep mine next to my passport.

Practice your email sign-in

Sign in on the website:

1. Open your web browser.

2. Open the website for your email provider.

3. Click the “Sign in” button, and follow the instructions.

If you are already signed in, do not sign yourself out. Instead, practice your sign-in by opening a private browsing session. Search how to use private browsing on your device / web browser. Examples:
Microsoft Edge (Windows) * Safari (iPhone) * Google Chrome * Firefox (desktop)

Does your email provider invite you to add a mobile number, or a passkey?

Confirm each sign-in detail on your recovery sheet (above).

If you need to, you can practice the sign-in process more than once. When you want to try again, sign out of your private browsing tabs, and close all of your private windows or private tabs first.

When you use a new private browsing session, your email provider will not remember your device. You may be asked for extra security information.

Find the security settings for your email account

When you are signed in to the website, you can manage the settings for your email account. In the account settings, there will be a section for security. The security section is where you can change your password, and/or other sign-in options.

Have you added a mobile number (and/or a passkey)? Is it possible to add one to your email account?

If you’re not sure, we can find your options using the help pages, or a search engine.

Protect your email account

Now you have found your security settings. Let’s look at protections for your specific account.

• Some email providers prioritize two-step verification (2SV), and expect you to add one or more backup sign-in methods.

• Other providers expect that you are more careful with your password. They do not allow adding as many recovery methods.

Option 1: Two-step verification accounts

This is a key feature of the accounts below. If your email account is not listed here, please skip down to option 2 instead.

1. iCloud Mail / Apple account
2. Gmail / Google account
3. Outlook.com / Microsoft account

These accounts rely heavily on your mobile number. They may also make use of your already signed-in devices.

In some cases, you can recover a lost mobile number. Ask your mobile carrier about this in advance. If you lose your “second step” verification method, you could be blocked from signing back in to your account, even when you have your password.

Let’s make a recovery plan, for when you lose your phone.

1. iCloud Mail / Apple account

Apple accounts are protected using two-factor authentication (2FA). This is required on all new accounts, and to use various Apple features.

When you sign in on a new device, you need to verify using one of your registered Apple devices, or a trusted phone number, as well as your password.

If you can’t sign in, you will need to recover your account. This takes longer - it could be a week or two.

You can reduce how long it takes to recover, if you prepare now. In your account settings, you can add a landline phone number, or a recovery contact who uses an Apple device. In some cases, you can also recover faster if you have added a credit card, or a “primary email address”.

Once you have a recovery plan for your Apple account, make sure you have two-factor authentication turned on. It will be much harder for criminals to steal your account.

Apple have several help pages for security, and recovery. They are linked as references here:
Avoid getting locked out of your Apple account or iCloud

2. Gmail / Google account

Google automatically changes accounts to “2-Step Verification” (2SV). When you sign in on a new device, 2SV requires your registered phone, as well as your password. Or you might use a passkey saved on your phone.

When you lose your phone, how will you sign in on a new device? What can you use as a backup?

Even if 2-Step Verification is disabled, Google requires a “second step” whenever they decide a sign-in attempt is “suspicious”. The best approach is to add multiple backup options, and then make sure 2-Step Verification is turned on.

• Google Help: Avoid getting locked out of your Google Account

• Google Help: Turn on 2-Step Verification

• My notes: Avoid getting locked out of your Google account or Gmail

The “avoid getting locked out” help page has a specific section about 2-Step Verification. It is underneath “Step 2: Set up more ways to sign in”.

3. Outlook.com / Microsoft account

Most Microsoft users have both a computer, and a mobile number. Confirm 1) your computer can sign in using a passkey, and 2) your current mobile number is added in your security settings. Hopefully, you are unlikely to lose both of these at the same time.

• Microsoft Support: Signing in with a passkey

• Microsoft Support: Change the phone number

If you are a phone-only user, ask your mobile carrier what you will need to recover your mobile number, when you lose your phone.

You now have two options to increase security:

1. Use an account with no password at all. This prevents some very common attacks.

2. Turn on two-step verification. This means that when you sign in on a new device, you need a second step after your password.

Two-step verification protects against a password attack or a phone number attack. With two-step verification, you need both your password and your mobile. This option is recommended by Cyber Aware.

Mobile numbers have become a target for criminals, similar to passwords. They may trick your carrier into transferring your number. Or steal the physical SIM card from your phone, if it has one. Microsoft have some protection against this, but it will not work in every case. It is safer to turn on two-step verification.

• Microsoft Support: How to use two-step verification

• Microsoft Support: How to remove (or re-add) your password

• My notes: Avoid getting locked out of your Microsoft account or Outlook.com

Q: Can I avoid linking my mobile number to my Microsoft account?

A: This is not a reliable way to protect your account. The website repeatedly warns you, and then eventually forces you to “make sure you can receive a security code”. The mobile number helps make sure you can receive security alerts.

Q: Can I just use a strong password instead?

A: Microsoft does not trust your password on its own. Most people give the same password to other accounts. The more accounts it is given to, the more likely it is to get stolen. When you sign in to your Microsoft account, they try to match your device and location. However, this does not always work. Sometimes, Microsoft will ask you for additional verification. The best approach is to add multiple backup options, and then strengthen your security as above.

Q: I tried to sign in to Outlook.com, using my favourite web browser. I used my PIN / face / fingerprint, but Microsoft still asked for additional verification. I am already signed in to Windows with my Microsoft account! Why does it not let me sign in?

A: If you have a problem with Outlook.com etc, try using Microsoft Edge browser to sign in first. Also, do not use a private browsing window (Edge InPrivate). If this works, you should now be able to use the passkey in other web browsers. It is annoying, but it worked for me.

Option 2: Use a strong and separate password

If you have turned on two-step verification for your email, skip this section. We can set up a secure password manager, before you set a new email password.

If your email is not protected by two-step verification, we should think about your password now.

Most people have used the same password for more than one thing. This is a problem. Surprisingly often, one of the less secure websites or apps gets hacked, and leaks everyone’s password.

At this point, you have successfully signed in. You should have a sheet with your sign-in details.

If you used the same password for other accounts, change it now. It should be different from any other password. It should not be easy to guess, e.g. from personal information.

Cyber Aware recommends: use three random words.

Remember to record the new password! Keep your email recovery sheet up to date.

Ultimately, you should use a secure password manager (and/or passkeys!). Even then, an email recovery sheet is still very useful, as an independent backup. Many other accounts will let you sign in (or help recover) using your email.

This option completes the Cyber Aware tip: Use a strong and separate password for your email.

Next steps

• Security part 2 - Your device

• Security part 3 - Manage your passwords

• Cyber Aware top tips - Backing up your data