 You can get a Microsoft Account for free, but that doesn't begin to describe its value, especially if you use that account for crucial email and cloud storage. Follow these seven steps to establish a solid baseline of security and protect that account from intruders. What's your most valuable online account, the one most deserving of protection? If you use a Microsoft account to sign in to a Windows PC, that account and its associated email address should be the one you guard most jealously. That's especially true if you use that Microsoft account for OneDrive storage and Office 365 documents. In this post, I list seven steps you can take to help you lock that account down so it's safe from online attacks. As always, there's a balancing act between convenience and security, so I've divided the steps into three groups, based on how tightly you want to lock down your Microsoft account. (It's worth noting that this article is about consumer Microsoft accounts used with Home and Personal editions of Office 365, Microsoft 365, and OneDrive. Security settings for business and enterprise Microsoft 365 accounts are managed by domain administrators through Azure Active Directory, using a completely different set of tools.) Baseline Security is sufficient for most ordinary PC users, especially those who don't use their Microsoft email address as a primary factor for signing in to other sites. If you're helping a friend or relative who's technically unsophisticated and intimidated by passwords, this is a good option. At a minimum, you should create a strong password for your Microsoft account, one that's not used by any other account. In addition, you should turn on two-step verification (Microsoft's term for multi-factor authentication) to protect yourself from phishing and other forms of password theft. When that feature is enabled, you have to supply additional proof of your identity when you sign in for the first time on a new device or when you perform a high-risk activity, such as paying for online purchase. The additional verification typically consists of a code sent as an SMS text message to a trusted device or in an email message to a registered alternate account. Baseline precautions are adequate, but you can tighten security significantly with a couple of extra steps. First, install the Microsoft Authenticator app on your iPhone or Android device and set it up for use as a sign-in and verification option. Then remove the option for using SMS text messages to verify your identity. With that configuration, you can still use your mobile phone as an authentication factor, but a would-be attacker won't be able to intercept text messages or spoof your phone number. The most extreme security, add at least one physical hardware key along with the Microsoft Authenticator app and, optionally, remove email addresses as a backup verification factor. That configuration places significant roadblocks in the way of even the most determined attacker. It requires an extra investment in hardware and it definitely adds some friction to the sign-in process, but it's by far the most effective way to secure your Microsoft account. You need a strong, unique password for your Microsoft account. The best way to ensure that you've nailed this requirement is to use your password manager's tools to generate a brand-new password. Generating a new password ensures that your account credentials are not shared with any other account; it also guarantees that an older password that you might have inadvertently reused isn't part of a password breach. The next step is to save a recovery code. If you're ever unable to sign in to your account because you've forgotten the password, having access to this code will save you from being permanently locked out. On the Microsoft Account Security Basics page, find the Advanced Security Options section and click Get Started. That takes you to the not-so-basic Microsoft Account Security page. Don't leave the Microsoft Account Security page just yet. Instead, scroll up to the Two-Step Verification section and make sure this option is turned on. The setup process is a fairly straightforward wizard that confirms you are able to receive verification messages. If you're using a modern smartphone with an up-to-date version of iOS or Android, you can safely ignore the prompts to create an app password for the mail client on those phones. Microsoft recommends that you have at least two forms of verification available in addition to your password. If you need to reset your password when two-step verification is enabled, you'll need to supply both of those forms of identification or you risk being permanently locked out. A free email address, such as a Gmail account, is acceptable if your security needs are minimal, but a business email address is a much better choice. If necessary, you can have a verification code sent to that address. More complete details can be found on OUR FORUM.
 It can happen in the blink of an eye. You put your Android phone down on a counter at the checkout stand or feel a slight bump as you get off the subway, only to later realize your phone is missing. Regardless of how you lose it, be it theft or a simple mistake, losing your phone is a stressful experience. Losing your phone cuts off your access to the rest of the world; it is likely the most personal device you own. Replacing it is a costly nuisance. In the event your phone goes missing, don't panic! There are tools built into every Android phone that make it possible to lock and track down a lost phone with ease. But first, you'll need to take some steps now to set yourself up for success if and when your phone does go missing -- even if you only left it in the house. You can take a few steps now to be ready if you lose your phone. Do yourself a favor and turn on passcode and fingerprint authentication. Do yourself another favor and don't use facial recognition on your Android device. On most Android devices, the technology used for facial recognition can be easily tricked with something as simple as a photo of your face. Google's Pixel 4 and Pixel 4 XL are the exceptions here, as they use a more reliable system similar to Apple's Face ID. Next, create your passcode and set up fingerprint authentication in the Settings app under the Security section. I realize scanning a fingerprint or entering a PIN code every time you want to use your phone can be inconvenient, but the idea of someone having access to your photos, banking apps, email, and the rest of your personal info is downright scary. An extra step to unlock your phone is worth the effort when you consider the potential impact of exposing your personal info to a stranger. Any time you sign in to an Android device with a Google account, Find My Device is automatically turned on. Google's free Find My Device service is what you'll use should your phone ever go missing to track, remotely lock, and remotely erase it. Check to make sure Find My Device is enabled on your Android phone by opening the Settings app and going to Security & Location > Find My Device. Alternatively, if your device doesn't have a Security & Location option, go to Google > Security > Find My Device. Find My Device should be turned on. If not, slide the switch to the On position. Finally, double-check that the ability to secure and remotely erase the device is turned on by going to android.com/find on your computer, selecting your phone, and clicking Set Up Secure & Erase. A push alert will be sent to your phone -- tap it to finish the setup process. Samsung has long offered a Find My Mobile service to help Galaxy phone owners track down their lost phones. The service is separate from Google's Find My Device offering, and is something you can -- and definitely should -- set up. Not only does it give you a backup service you can use to track down a lost phone, but it also gives you tools that Find My Device doesn't have. With Samsung's service, you can do things like forcing remote backups or see if someone has swapped out your SIM card. You'll need to use your Samsung account to set up Find My Mobile. However, more recently, Samsung announced a new service called SmartThings Find. The new feature works like Apple's Find My app by crowdsourcing the location of a lost device, even if it's offline, but telling nearby Galaxy devices to look for its Bluetooth signal and report its location if it's found. All of which, of course, is done anonymously. As for SmartThings Find, you'll need to have a Galaxy device running Android 8 or newer. The setup process should already be taken care of as long as you're running the latest version of the SmartThings app. I had to go into the Galaxy Store app and update it myself, but once I did that the main page of the SmartThings app had a map showing the last location of my Galaxy Buds ($80 at Amazon), along with other Samsung devices that are linked to my account below the map. If it's not set up automatically, you may have to tap on a SmartThings Find button and follow the prompts to register your device. Once it's turned on, you can view the location of your device(s) by opening the SmartThings app and select SmartThings Find. Read this how-to in its entirety on OUR FORUM.
 As the 116th Congress comes to an end, the annual defense authorizing legislation (NDAA) is among its most important pending matters — and tucked within it is the most important internet issue that you’ve probably never heard of. While not as visible as COVID relief or continuing government funding, the massive Fiscal Year 2021 NDAA Conference Committee report addresses many important defense and non-defense issues, including the naming of military bases after Confederate officers, limits on the President’s ability to withdraw troops from Germany and Afghanistan, a threatened presidential veto over the absence of a repeal of Section 230 and much more — to say nothing of the roughly $740 billion in military programs the law would authorize for the current fiscal year. Amid these, both the House and Senate bills and the Conference Report address an important internet issue that is not much discussed and not much understood outside of a small circle of industry, scholarly, military, intelligence, and law enforcement experts. The resolution of the issue (which won’t get the kind of attention that creating a new “National Cyber Director” will get) could have an enormous impact on the shape and future of the entire internet — far beyond the military and defense communities. Labeled “information sharing,” to put it most simply, it’s whether the U.S. Government (or any government) should regulate and control information about cyber threats that is shared by internet (and other) companies with U.S. military, law enforcement, and intelligence agencies — or whether the sharing of cyber threat information by internet companies should continue to be voluntary and led by industry. The issue is often addressed in vague terms, but at its core, it divides American industry, the tech sector, and even the internet industry itself — and its resolution will establish basic rules for how the internet is regulated by the U.S. government and most other governments. The Fiscal 2021 NDAA Conference Report partly addresses this issue and partly postpones it. That’s not surprising, given its complexity and enormous implications for the shape of the internet. Aside from the political fact that nearly everyone supports “cooperation on cybersecurity” between government agencies and internet companies, the debates over mandatory versus voluntary cooperation is further complicated by the fact that serious cyber threats to the U.S. originate not only from a foreign military attack but also from anyone from a bored high school student to a professional crime ring. Cyber threats from any of these could jeopardize large parts of our economy or social structure. So, a major underlying issue in mandatory versus voluntary “information sharing” is that the problem that’s being addressed is not just defending against a foreign military attack on the United States. It is, arguably, defending against any type of cyber threat from anyone. The details are quite complex, but the core issue has been hotly debated for over a decade and even echoes policy debates over industry regulation that go back to the 1980s. Like several other cybersecurity issues, the issue of “information sharing” was highlighted by the recent report of the Cyberspace Solarium Commission, which looked at the full scope of cyber threats to the U.S. and set forth a wide range of proposals to improve America’s cybersecurity. The Commission singled out companies that are part of the “defense industrial base” (which could include quite a large swath of the internet industry) and concluded that they and other internet companies need some form of new, mandatory information sharing for the national security of the United States. Historically, there have been many — mostly in intelligence, law enforcement, and the military — who believe that major internet companies should be legally required to rapidly share information about cyber threats with law enforcement, military, and intelligence agencies. These advocates of mandatory and regulated information sharing are supported by some defense contractors and many businesses that depend on the integrity of the internet for their business. Generally, their view is that whatever drawbacks this form of regulating the internet may have are a small price to pay for the significant increase in security and stability that mandatory and regulated information sharing would offer. For more visit OUR FORUM. |
Latest Articles
|