Practical Identity Security Checklist

Your email recovers everything else. SMS or authenticator app MFA is not sufficient here. Google and Microsoft both support FIDO2 passkeys natively.

Phone number recovery enables SIM swap bypass of all other authentication. Replace with a backup email or authenticator app recovery code.

Store in a password manager, not in your email inbox. Print one copy; store in a physically secure location.

Attackers who previously accessed your email may have set silent forwarding rules. Review in settings: Filters → Forwarding or Gmail/Outlook forwarding settings.

Free, effective, and reversible. Prevents new accounts being opened in your name. Equifax · Experian · TransUnion

Prevents someone else from filing a tax return in your name. Free at irs.gov/ippin. Must renew annually.

Most major financial institutions now support TOTP; some support FIDO2 passkeys. If SMS is the only option, combine with a carrier account PIN.

Real-time push alerts on all financial accounts. Minimize detection time if an attacker gains access.

A separate email that is not used for social media or commercial registrations reduces its exposure surface.

1Password, Bitwarden, or equivalent. Unique, generated passwords for every account. If you are reusing passwords, this is the most impactful change you can make.

Prioritize email, financial, social media, and cloud storage. Passkey > hardware key > TOTP authenticator app > push notification > SMS.

Call your mobile carrier or set online. A PIN requirement for account changes dramatically reduces SIM swap risk.

haveibeenpwned.com — check your email addresses. Any matches: change that password now, and any account where you reused it.

Google: myaccount.google.com/security. Microsoft: myaccount.microsoft.com. Revoke any app you no longer use, especially those with email or calendar access.

Google, Apple, Microsoft, GitHub, and most major financial institutions support passkeys. Enroll where available.

Systematically remove phone number as a recovery or fallback factor across all accounts. Replace with an authenticator app or backup email.

Bookmark identitytheft.gov. FTC-managed step-by-step recovery guide for accounts, credit, and SSN fraud.

Search your name on Spokeo, WhitePages, Intelius, BeenVerified. Use an opt-out service (DeleteMe, Privacy Bee) for systematic removal across dozens of brokers.

iOS: Settings → Privacy & Security → Location Services. Android: Settings → Privacy → Permission Manager. Most apps should be set to "Never" or "While Using."

Google Voice (free) or MySudo for forms, online orders, and services that do not require your primary number. Keeps your real number off commercial databases.

What is visible without being logged in? Name, employer, city, phone number, family members? Reduce what is searchable. Family member names and locations are attack intelligence.

Spokeo, WhitePages, Intelius, and BeenVerified all have opt-out forms. Manual process; re-aggregation requires periodic re-submission or an opt-out service.

Keeps your home address off commercial databases, data broker profiles, and online directories. Particularly relevant for executives, public figures, and remote workers.

One word or short phrase, agreed in advance, known to all family members. Anyone can ask for it in an unexpected contact. AI voice clone scams rely on the absence of this habit.

What do you do if your email is compromised? Do you know your recovery backup email? Your backup codes? Do not discover these gaps under pressure.

Unexpected calls from banks, utilities, government, or IT support: hang up, call back on a number from their official website. Never provide credentials, PINs, or MFA codes to inbound callers.

Elder fraud is the fastest-growing identity crime category. Discuss gift card payment requests (always a scam), IRS impersonation, grandchild-in-crisis calls, and tech support scams. Practice the verification phrase habit.

Children's names, schools, ages, and locations posted publicly compound over time into a discoverable profile. Consider family-wide social media visibility review.

Limits breach exposure from high-volume commercial email. Your primary email appears in fewer data breach dumps when you keep it off commercial subscription lists.

Legitimate organizations never request gift card payment. Unexpected wire transfer requests from executives require phone verification on a known number, not a reply to the email.