Contact The Editor
Articles By This Author
I'd rather scrub tile grout than tend to my digital security.
But two relatively low-fuss changes to your email account will significantly improve your security. If you've already done these, double check. I bet you can make a beneficial tweak. I did.
1. Add an identity verification method to block criminals from taking over your email if they steal or guess your password. If you can, pick a verification method that's something other than a code texted to your phone.
2. Add a backup email address, phone number or a friend's contact information in case something goes wrong, like you forget your password or are hacked.
I'll walk you through those steps for three popular personal email services. The process can be clunky - I'm looking at you, Gmail. Still, this should take 10 minutes or less.
Because email is the gateway for many digital services, email security upgrades make your financial accounts, digital health records and other online accounts safer, too.
If you make the suggested improvements, "you're as locked down as any consumer can reasonably be," said Tarah Wheeler, chief executive of the information security company Red Queen Dynamics.
The takeaway message: Perfection is not necessary to be secure online. An upgrade or two can make a big difference.
If you use something other than the three email services here, the steps should be relatively similar for others.
And the One Tiny Win section below has more advanced email security improvements, if that's right for you.
• For Gmail, do this
Access your Google account.
Find the Security section at the top (on your phone) or at the left hand side (on a computer screen). Under "How you sign in to Google," check for "2-Step Verification."
If 2-Step Verification is off, click or tap on that option. In the next screen, choose Get started.
You may be asked to enter a phone number for account security purposes. I recommend you don't do that. Instead, click or tap the blue text that says "Show more options." Most people should choose the Google prompt. Select Next.
In the next screen, many people will see the model of smartphone you use to read your Gmail. Follow the on-screen instructions if you don't see your device listed there.
Next, Google will ask for a backup verification option - typically your phone number to call or text. This isn't ideal. Do it for now. Keep reading below for why this is a problem.
You'll see a confirmation screen. Choose "Turn on."
Once this is set up, when you want to access your Gmail, Google may send a pop-up message to your phone to confirm it's really you. You can check a box for "Don't ask again" to skip the verification on a phone or computer you use regularly.
The goal is to make it very difficult for an impostor who has your email password to access your Gmail because he's unlikely to have your phone, too. (Or if a thief steals your phone, he's unlikely to also have your email password.)
If you're thinking, what if my phone is lost or stolen and it's my verification method - see the section below.
Or if 2-Step Verification is already on, tap on the option and look at your "Available second steps" for verification.
If one of those options is a voice or text message, I suggest you pick a different option such as an authenticator app. (Read more in the One Tiny Win section below.)
For everyone, again under "How you sign into Google," fill in the fields for a Recovery phone number and a Recovery email address.
Your own mobile number is good, but it's better if you can pick a work email or phone number of a trusted friend or family member.
If you get locked out of your email account because you forget your password or it's taken over by a hacker, Google uses this Recovery information to help you get back in.
• For Apple mail, do this
Start from your Apple ID account. Sign into your Apple account.
Look in the "Account Security" section. Most people will see "Two-factor authentication" in that section.
Click or tap that Account Security section and make sure the "trusted" phone number or "trusted device" listed there are still correct and not a phone that you lost or gave away.
When you access your email on a phone, computer or web browser that you don't typically use, Apple may send a pop-up verification code to your iPhone or Mac to make sure it's really you. (Apple has instructions here, too.)
If you're thinking, what if my phone is lost or stolen and it's my verification method - see the section below.
If you don't see two-factor authentication in the Account Security section, click there and follow the on-screen instructions.
Now look at the "Account Recovery" section. If it says Not Set Up, click or tap that option. Choose either a recovery contact or a recovery key.
The recovery contact is a person you trust who will vouch for you digitally if you lose your Apple account password or it's hacked. The recovery key is a 28 digit code that Apple will generate and that you need to save somewhere safe. It's a backup plan to regain access.
Apple has detailed recovery instructions available online.
• For Outlook or Hotmail, do this
Access your Microsoft account. Choose "Security" at the top of the screen and then "Advanced security options."
Look for Two-step verification at the top of the screen. If it says OFF, choose "Manage."
Follow the on-screen instructions. You'll be asked for a way to verify your identity. Most people should choose the app option.
Microsoft will walk you through downloading the company's app that pops up a code in some cases to confirm you are you.
If you're thinking, what if my phone is lost or stolen and it's my verification method - see the section below.
Under the same Advanced security options, check the "Ways to prove who you are," including a different email address. Those are your backup plans if you lose your password or are hacked.
Microsoft has more account recovery information online.
• But what if my phone is lost or stolen and it's my verification method?
Using a pop-up message to your phone (or an app on your phone) for identity verification is much safer than almost anything else.
Even if it makes you nervous, do it.
It's definitely safer than leaving yourself exposed by letting a criminal get into your email with just a password that he can steal or guess.
Once he has access to your email, he can reset the passwords to take over your other online accounts such as banking, shopping and social media.
If you do lose access to your phone, follow these instructions to disable or delete everything on your device from afar. You'll need to get your existing phone number set up on a new phone.
Yes, that means if your phone or phone number is verification of your identity with Google, Apple or Microsoft, you may need help getting back into your email. That's why it's important to set up recovery options ahead of time.
• Why texts aren't ideal for identity verification
Crooks love stealing people's mobile phone numbers.
If a criminal takes over control of your phone number, he might be able to tell Google that you forgot your email password, change it and confirm his new password via a Google text message to a phone number that he controls.
That could let him take over your other online accounts, too.
Criminals can do large volumes of phone number thefts. It's harder to steal a bunch of people's physical phones.
Google deserves special scolding. The company should do more to steer you away from picking phone calls or text messages as the verification to get into your email.
Still, even if you use your mobile phone number or text messages for identity verification, you are better protected than nearly everyone else.
Remember that our goal is security improvement and not perfection, which is impossible.
• One (more) tiny win: Advanced options
My colleague Heather Kelly wrote a guide to security keys and added account encryption features from Apple.
You can use these for Fort Knox-level protections for email and other accounts. Google and Microsoft also have advanced protections for accounts including Gmail or Outlook personal email.
Those extras are not necessary for most people. They may even be counterproductive if you're not comfortable using them or don't have an account recovery backup plan.
One easier and secure alternative is verifying your identity with a free, reputable authentication app such as Twilio's Authy, the Microsoft Authenticator app or Google Authenticator.
In Gmail, after you initially set up your account verification methods, you can replace phone or text-based verification codes with an authenticator app that generates constantly changing numerical codes. That's a worthwhile upgrade.
Companies including Google, Apple and Microsoft are also making it easier to ditch your password entirely and use only your phone protected by a passcode, fingerprint or face scan to prove that you're you.
Maybe this sounds unsafe but the current system of online passwords is fundamentally broken and insecure. Killing passwords entirely and using your phone as a "passkey" is an improvement.