Skip to main content
Izzat AziziIzzat Azizi

Command Palette

Search for a command to run...

Lock Down the Accounts You Keep: A Technical Guide to Two-Step Verification, Password Managers, and Permission Audits

You'll keep more accounts than you expect — so make each one genuinely difficult to break into. Here's the full technical setup, explained step by step.

Updated
7 min read
Lock Down the Accounts You Keep: A Technical Guide to Two-Step Verification, Password Managers, and Permission Audits
I
izzat Azizi
Security engineering leader specializing in cloud security, detection engineering, SIEM operations, and drone security research. Focused on scalable defensive architectures, practical cybersecurity education, and measurable security outcomes.
Part of seriesDisappearing Online: A 2026 Privacy Series

Across this series so far, you've audited your exposure (Part 1), removed yourself from data broker sites (Part 2), configured private browsing (Part 3), and split your identity across separate emails, numbers, and usernames (Part 4).

By now, you've probably realized you're keeping more accounts than you originally expected — and that's completely normal; full deletion was never really the goal. What matters now is making each of those remaining accounts genuinely difficult for anyone else to access.

This part walks through the three technical habits that, together, stop the overwhelming majority of real-world account break-ins — plus a fourth, less-discussed step: securing your account recovery methods, which is often the weakest link of all.

Step 1: Set up two-step verification correctly

Two-step verification (sometimes called two-factor authentication, or 2FA) means logging in requires both your password and a second proof that it's really you — almost always a time-limited code generated on your device.

Here's the detail most guides leave out: not all forms of two-step verification offer the same level of protection, and the difference matters.

  • Text message codes are better than nothing, but they depend on your mobile network. If someone gathers enough of your personal information — much of which, before this series, may have been sitting in data broker listings — they can sometimes convince a mobile carrier to transfer your number to a device they control. This is a real, documented attack method, and once it succeeds, every text-based code goes straight to them instead of you.

  • Authenticator apps (such as Google Authenticator, Aegis, or similar) generate codes directly on your device, using a secret key exchanged once during setup. They never touch the mobile network at all, which removes that entire attack path.

  • Hardware security keys — small physical devices you plug in or tap to confirm a login — offer the strongest protection currently available to individuals, because they require physical possession of the specific device. They're most worth considering for your single most important account (typically your main email, since it's usually the recovery point for everything else).

To set this up technically:

  1. Go through the accounts on your priority list from Part 1 — starting with email, banking, and anything tied to payments.

  2. In each account's security settings, locate the two-step verification option (often listed under "Security," "Login & Recovery," or "Two-Factor Authentication").

  3. Where the option exists, switch from text-message codes to an authenticator app: this typically involves scanning a QR code with the app, then entering a generated code once to confirm the link.

  4. Save the backup codes provided during setup. Every major service generates a set of one-time recovery codes when you enable two-step verification — store these somewhere safe and separate from your phone (your password manager's secure notes feature is ideal), since losing access to your authenticator app without them can lock you out of your own account.

Step 2: Set up a password manager and eliminate reused passwords

Reusing the same password across multiple accounts is one of the single biggest reasons accounts get broken into — not because attackers are guessing passwords one by one, but because once any one site is breached, attackers automatically try that same password against thousands of other services. This is called "credential stuffing," and it's almost entirely automated; it succeeds purely because so many people reuse passwords.

A password manager solves this directly by generating a unique, random, complex password for every single account, and remembering all of them for you — so the only password you ever need to actually remember is the one that unlocks the manager itself.

To set this up:

  1. Install a reputable password manager, such as Bitwarden, and create a strong master password — a memorable sentence or phrase with some personal substitutions tends to be both stronger and easier to recall than a short string of random characters.

  2. Enable two-step verification on the password manager itself — this is the one account where it matters more than anywhere else, since it holds the keys to everything.

  3. Go through your account list from Part 1, and for each one: log in, navigate to the password or security settings, and replace the existing password with one generated by your manager (most managers include a built-in generator and can save the new password automatically as you create it).

  4. Set the manager's browser extension to auto-fill logins, which both saves time and acts as a subtle security check — a manager that's properly configured won't auto-fill your credentials on a lookalike phishing site, because the web address won't match what it has stored.

Within a few weeks of steady use, this becomes faster than typing passwords ever was — and it permanently closes off the most common pathway into a compromised account.

Step 3: Audit and lock down your account recovery options

This is the step almost no privacy guide covers in any depth — and it's frequently the actual weak point, even on accounts that otherwise look well-secured. Account recovery exists to help you regain access if you're ever locked out, but it's also, by definition, a deliberate backdoor — and attackers know this just as well as you do.

To check and tighten this on your important accounts:

  1. Review the recovery email and recovery phone number listed on each account. Make sure the recovery email isn't an old, abandoned address you no longer control — that's a surprisingly common and serious gap, especially on accounts that are years old.

  2. Reconsider security questions, where they're still used. Answers like "mother's maiden name" or "city you were born in" are often genuinely discoverable through the exact kind of public records and data broker listings you addressed in Part 2. Where the service allows it, treat these as an additional password field instead — enter a random, unrelated answer, and store it in your password manager's notes for that account.

  3. Check the list of devices and active sessions currently logged into each important account (usually found under "Security" or "Devices"). Sign out of anything you don't recognize or no longer use — old phones, shared computers, browser sessions from years ago.

Step 4: Review what your apps and connected services can actually access

Every few months, go through the permissions granted to the apps installed on your phone, and the third-party apps and services connected to your social media and email accounts.

To do this properly:

  1. On your phone, open the privacy or permissions section of your settings, and go through each permission category — location, contacts, microphone, camera, storage — checking which apps have access and whether each one genuinely needs it to function.

  2. On your social media and email accounts, look for a section typically labeled "connected apps," "third-party access," or "apps and websites" within the security settings, and review what's listed. It's common to find services you signed into years ago, using permissions you never thought about at the time, that still have standing access to your account.

  3. Revoke anything you don't recognize, no longer use, or can't justify. In nearly all cases, this has no effect on the apps or services you actually still use — you can always re-grant access later if something genuinely needs it.

Why these four steps matter more than anything more advanced

None of this requires specialized technical skill or expensive tools — and that's exactly the point. This is the digital equivalent of locking your front door and not leaving a spare key under the mat: simple, unglamorous, and the actual reason the overwhelming majority of casual attempts to access an account fail before they even properly begin. Sophisticated, targeted attacks against ordinary individuals are genuinely rare. Weak, reused passwords, unsecured recovery options, and forgotten app permissions are extremely common — and these four steps remove nearly all of that risk in one pass.

Coming up in Part 6

You now have a private browsing setup, a compartmentalized identity, and accounts that are genuinely difficult to break into. The final part of this series brings everything together — helping you choose the right privacy tools for your specific situation, instead of collecting tools based on marketing claims that don't actually match the problems you have.

#privacy#cybersecurity#infosec#opsec#data-security

Comments

Join the discussion

No comments yet. Be the first to comment.

Disappearing Online: A 2026 Privacy Series

Part 5 of 6

A step-by-step guide to shrinking your digital footprint in 2026 — from auditing your exposure to choosing the right privacy tools for your situation.

Up next

Choosing the Right Privacy Tools for Your Situation (Not Just the Popular Ones)

A VPN won't make you anonymous. Tor won't make you invisible. Here's a detailed technical breakdown of what each major privacy tool actually protects against — so you can choose based on your real situation, not marketing claims.

More from this blog

I

Izzat Azizi

8 posts