The problem with account security is that most people will scoff at the effort and measures required as being too difficult and time consuming. I can understand not prioritizing the security of your Neopets account, but when it comes to finance and crypto it's strongly advised to take it seriously. Practicing strong account security can prevent you from losing your funds and saving you from identity theft and financial fraud.

From the top:

Get a password manager. And most importantly; make it an offline password manager. This means that it exists on a airgapped device that does not ever connect to the internet. An old laptop running TailsOS is good for this. A good open source password manager for computers is KeepassXC, but others exist. If you find this inconvenient and a step too far, you can keep your password database on your smartphone. But make sure that it's locked down with the appropriate security measures. Smartphones are better at sandboxing, app isolation and protecting clipboard sharing than most user's computer setups. KeepassDX is an open source android version that is forked from the Keepass tree and comes with good security features.

Let's start with the basics of account security. This goes for securing your current email accounts and any account that you've made with a service on the internet. It's incredibly important that you secure your email accounts as much as possible, as they effectively act as the master key to all your services.

The NIST guidelines for basic password security:

• Length—8-64 characters are recommended.
• Character types—Nonstandard characters, such as emoticons, are allowed when possible.
• Construction—Long passphrases are encouraged. They must not match entries in the prohibited password dictionary.
• Reset—Required only if the password is compromised or forgotten.
• Multifactor—Encouraged in all but the least sensitive applications.

The general rule of thumb is that greater uniqueness combined with greater length gives you greater entropy. This should give you a pretty good baseline for account security. Google promotes a feature called Advanced Protection Program that secures your google account and forces the requirement that it can only be logged into using hardware security keys. This mode is encouraged for journalists, high profile people or for anyone who deals with critical services. It is highly recommended to consider this option.

But having just an email and a password is not enough in this current digital era. What if the service itself gets compromised beyond your control (and they often do) and your password ends up in a text file dumped onto the internet in multiple places or sold on a darkweb marketplace (as they often do).

​

Two-Factor Authentication (2FA), or Multi-Factor authentication (MFA)

Here's where we combine our account password with another method of authentication. Effectively a second security door with completely different kinds of locks. Two-Factor auth is when you use one other authentication solution in addition to your password. Multi-Factor takes it a step further and combines multiple factors of different methods.

A good multi-factor solution relies on:

1. Something you know (e.g., a password that exists in your head, on paper or in a secure password manager).
2. Something you have (e.g., a smartphone with TOTP or a dedicated hardware security key, like a Yubikey).
3. Something that is unique to you (e.g., Biometrics. This can be a unique fingerprint or retinal data).

Here's a rundown of the various methods of 2FA/MFA:

• SMS 2FA Do not use this if you can help it. It is vulnerable to sim hijacking, phishing, and SMS is not an encrypted standard)
• Email 2FA Avoid using this as well, it's just as vulnerable to phishing and emails are not private and not encrypted)
• Time-based one-time password 2FA (TOTP), or a dedicated smartphone app Bare minimum good, especially for those who can't afford dedicated devices. Downsides is that it's not convenient and is still prone to MITM attacks and phishing)
• Passkeys A new initiative backed by Google/Apple that uses biometrics and the secure element in a smartphone as a MFA method. It is also compliant with the FIDO2 standard. Still in the rollout phase but most people in the future will prefer to use this as it cuts down on phishing. However there are concerns about privacy and the efficacy of relying on biometrics.

Only use the best MFA methods available to you. For example; it does not make sense to use TOTP or a hardware security key on an account as well as leaving SMS 2FA turned on. You are completely negating the security benefits of better methods this way.

​

Hardware security keys and their open standards

Here's what we'll be focusing on, as it's the best current method for protecting your Crypto related accounts.

A hardware security key is a dedicated 2FA/MFA device. It can authenticate you with services by using open standards under FIDO2 such U2F and WebAuthn.

While this is not a strict endorsement, Yubikeys are preferred because they generally meet FIPS/NIST standards and are the most flexible when it comes to protection methods. We're going to be focusing on the ones that offer the best protection. An ideal setup for hardware security keys is following the rule of three for backups:

​

1. One main key that you use every day.
2. A second backup key stored safely in a hidden onsite location
3. A third key stored safely in an offsite location.

​

Enter FIDO2, U2F and WebAuthn

FIDO2 is a set of authentication standards with various technologies and methods. A dedicated hardware key such as a Yubikey and services that support technologies used in conjunction, such as U2F and WebAuthn, is by far the best solution for securing accounts. It uses public-key cryptography to validate your private key (stored in the Yubikey) against a public key (stored with the service). This method is dedicated, durable, resistant to phishing and is great for privacy. Recent developments in FIDO2 means that the technology is at the forefront of account security technology.

Hardware security keys utilize various technologies under the FIDO2 standard. Source: https://www.rsaconference.com/library/presentation/usa/2020/how-fido2-and-webauthn-stop-account-takeovers

While a Yubikey can be used passwordless under new FIDO2 standards, it's recommended to use it properly as a MFA device. This requires you to set a pin (something that you know) in addition to a touch (something that you have) when prompted at the host device. You can also combine this with a TOTP method for backup, although this will weaken your security model.

The downside to hardware security keys is that they are expensive, and setting them up for the first time is inconvenient (you will need to add all two/three of them when setting them up for the first time with a service. While they support these open standards, not all devices are made equal. Another downside is that not every site has rolled out support for FIDO2/WebAuthn, and some sites have inconsistent rules compared to others (will only let you add two keys, will not let you get rid of SMS 2FA, etc.)

Current crypto services that have full support for hardware security keys and FIDO2 are Coinbase, Kraken and Binance. Kraken has a good knowledge base and example of how they respectively integrate hardware security keys along with FIDO2, which you can find at their support page

You can find a matrix of sites that support FIDO2 standards at dongleauth, which lets you filter by crypto services.

TL;DR:

Bare minimum, you should be securing every account using TOTP 2FA and disabling SMS 2FA. Google Authenticator and Aegis are good for this on Android, while Raivo is recommended for IOS. For best security, consider getting a Yubikey, enrolling your emails in Google's advanced protection program and only using FIDO2 methods where available to log into services.

I hope this was helpful. Stay safe out there!