I bet we all like to believe that your Google account is super secure, especially since we use such detailed and complicated passwords. But in 2019, complicated passwords just aren’t enough.
There are a slew of other measures you should think about putting in place before you can sleep soundly at night. We scrape the surface below.
For the love of… activate 2FA
Two-factor authentication (2FA) is the first thing you should activate when creating a new account on the internet. When it’s enabled, you’ll be asked for your password in addition to a special code sent to you or created by a key generator. Only with this duo can you log in to your accounts.
The system does have its flaws though. For one, using a telephone number to receive 2FA codes has proven pretty dangerous. A SIM swap — where crims can switch your number to a different SIM therefore receiving 2FA codes on your behalf — can leave you, and your super strong password, vulnerable.
However, 2FA by using an authenticator key generating app is the best way to go.
Get a ‘private’ SIM card and phone number and only use it for 2FA
Your phone number has become almost as important as your ID. It’s used for practically everything, from tax returns to your Google 2FA contact. So it would make sense from a privacy and security standpoint to get a SIM card and a phone number that’s only known to you and the site your using 2FA for.
For ease of use, it’s probably best to add a phone number as a backup retrieval method if you ever lock yourself out of your account. So, it’s good practice to ensure that you, and only you, know that phone number.
This will also ensure that if your active, everyday number is stolen, no one can gain access to your Google account. They’ll need to know your “private” number to receive 2FA code backups.
Additionally, you needn’t keep this SIM card in your daily driver or any other phone. Rather, stash it somewhere safe in your house for when you really need it.
Buy a physical security keys
Codes and cloud sync are convenient, but what about an actual hardware solution that only you can physically access?
If you happen to get hold of an actual security key — a physical thumbstick that can be used to authenticate your logins — you’re even better prepared. This is especially useful if you frequent internet cafes.
But, you’ll need to remember to bring your security key along. Not having it with you means you won’t be able to login to your accounts. Of course, if your security key is lost or stolen, you may run into a few problems. Pros and cons, really.
Encrypt important, less-used Google Drive files
Any file that you don’t explicitly need to access daily, and that you hold dear, should be locked away in an excrypted vault or zip file. This is true for Google Drive, Dropbox, or any other cloud storage service.
This includes things like scans of your ID, tax files, medical documents, and any other personally identifying information.
It’s easier done from your PC, by using an app like 7-Zip to encrypt your files, zip them, and then upload them. But on your phone, it could prove a bit difficult.
Unfortunately, there’s no version of 7-Zip for Android, but the likes of ZArchiver is an excellent choice for mobile encryption and decryption.
Enable Google Prompts
Some have suggested that Google Prompts aren’t too secure, but I find them a useful buffer between your password and access to your account.
While Google Prompts allow simple access to new devices by sending a login prompt to your Android phone — thus allowing you to confirm or deny the new login session — it also acts as an alert.
If you deny a prompt, that device will effectively not be allowed to login.
Of course, you can also decide to use a 2FA code and forego the prompts entirely, but it works for me.
Don’t forget account recovery
We’ve mentioned losing your security key or smartphone above, and this is where good account recovery practices come in.
When signing up for 2FA, Google will provide you with a number of unlock codes should you not have access to your code generator or security key.
Print these — yes, on paper — and store them in your home.
And if you simply have to have them on your person at all times, encrypt them in a zip folder and upload them to Google Drive.
Use a burner browser on desktop and mobile
Seriously, this is so important.
We see so many users logging in to their social media accounts on a browser like Chrome, while browsing other content during that same session.
It’s how Facebook and Google knows how to push custom ads onto you via apps and web pages.
And yes, we’d recommend having more than one browser installed on your phone too: one for serious browsing, and the other as a privacy or burner browser.
On desktop, if you have to use Chrome, create a different user, and use it as your burner browsing profile.
Don’t log into Chrome, or don’t forget to log out
And speaking of Chrome, it’s always a great idea to resist logging in to Google via Chrome. This is especially true if you’re not looking to use your Chrome installation as a dedicated Google Services-only browser or if you share your computer with the rest of the family, colleagues, or lab mates.
While Chrome will, annoyingly, log you in to the browser itself when logging in to Google services, remember to log out when you leave your PC.
For end users, online security needs to traipse the fine line between privacy and convenience. If you don’t want anything of yours to be accessible to anyone on the internet, keep it off the internet. But sometimes, that’s just inconvenient, especially if you’re only intent on living your life and not leaking classified government documents.
The key to good online security is layers. The more steps you have between your account and potential intruders, the harder it is to access. This goes for your sneaky little brother or professional hackerman number twelve.