Keeping your accounts secure

login.gov helps over 15 million people keep their information safe across dozens of government applications online. Over the past few years, we’ve learned a lot about keeping information safe. Here are a few ways you can make sure your online interactions stay secure.

Set up two-factor authentication (2FA)

Two-factor authentication helps an application know it’s you when you sign in, not just someone who picked up your password during a breach. Also referred to as a second step or second factor, two-factor authentication ensures you have something (like your phone or a security key or your fingerprint) physically on you when you sign in. Fraudsters impersonating you are considerably less likely to also have your phone or access to your fingers!

login.gov allows you to use a variety of 2FA methods, including PIV/CAC cards for federal employees and contractors, so you can be sure that only you are able to sign into your account.

Don’t reuse passwords

Reusing passwords means all of your accounts are only as protected as the weakest among them; i.e. as strong as the weakest link. By using unique passwords for each website, you can protect yourself from a chain of breaches if one of your passwords is hacked. Use a password manager to keep track of all your different passwords so you only need to remember one master password. A password manager keeps your passwords in an encrypted (and password-protected) vault. It generates strong passwords for you and may fill them in for sites and apps when you want to sign in. That means you don’t have to remember all the different passwords for different sites since the password manager takes care of that.

login.gov helps protect you against the risk of reusing passwords by implementing a second factor, ensuring that you have something physically with you to sign in. For example, if a fraudster grabs a password from another site, that alone will not allow them to sign in to your account.

Avoid weak passwords or guessable passwords

While password123 might be easy to remember, it will be the first thing that hackers try when attempting to break into a system. In fact, there are even tools that guess predictable passwords. Use a long and memorable password instead, which will be much harder to hack. Again, using a password manager makes it easy to generate strong, random passwords for each of your accounts.

In addition to using a second factor, at login.gov we don’t allow you to use common passwords, and have an ever-growing list of banned passwords used by malicious actors.

Use unphishable 2FA methods

Phishing is when someone pretends to be a real service to collect information from you using fake websites, phone calls, or fraudulent emails. Phishing has become more sophisticated and tricky to spot and is now a major driver of fraud on the internet. login.gov and many other sites support newer 2FA methods that prevent phishing entirely.

While all second factors improve security, using text or SMS messages, a common two-factor authentication method, does not prevent phishing. Hackers have various methods to collect your six-digit code in the text and use it to access your account.

To defend against this, login.gov supports several second factors that are unphishable. We recommend using a FIDO-compliant physical security key that must be connected to your phone or computer to sign in. Additionally, phones and laptops have fingerprint readers that work the same way and can be used as the second factor on login.gov if your browser supports it, through something called WebAuthn. Federal government employees and contractors can also use their CAC or PIV cards. All of these methods are unphishable as they require a physical factor - a device or a fingerprint - to authenticate.

Learn more about how to keep your information safe over at login.gov.