2018
alone has seen billions of accounts hacked across a wide range of applications
and services, proving once more that even the biggest Internet players can’s
always keep users’ accounts under lock and key.

Hackers
are increasingly apt at flying under the radar, making life hard for everyone
in their crosshairs. While big companies have regulations like GDPR to fear,
end users are finding it increasingly necessary to arm themselves with good
password hygiene and best practices.

Some
vendors are more diligent than others, security-wise, but most give users
plenty of options to deploy additional security layers, like two-factor
authentication (2FA), recovery email, or printed security codes. As the biggest
aggregator of user-generated data on the web, Google offers a wide range of
security layers that users can opt in and out of, depending on their privacy
needs, security awareness, or convenience. This guide offers a comprehensive
look at these out-of-view options that every user should be aware of, and use
to their advantage.

1. Security Checkup

Your first step towards deadbolting your Google account across your entire fleet of devices is to visit the web giant’s Security module at: https://myaccount.google.com/security, then click on Get Started. This takes you to the Security Checkup sub-menu, which offers quick access to key options that help keep your account secure.

Depending
on your current settings, your Google Security Checkup pane will look something
like the screenshot above. Regardless of your current configuration, these actions
should apply to everyone.

2. Manage Your Devices

In this section, Google displays the devices you own that are currently linked to your Google account with admin permissions. The three-dotted button to the right of every listed device lets you remove any gadgets that you no longer use with your account.

If you choose “don’t recognize this device,” Google immediately recommends you change your password, as your credentials might have been compromised. This doesn’t necessarily mean someone hacked Google and stole your password. In fact, hackers typically buy stolen credentials leaked in other (high-profile) breaches, then use techniques like credential stuffing to try to compromise the victim’s entire online presence, whether it be Google, Facebook, Twitter, Instagram, LinkedIn, their bank account, or anything in between.

In
the main Security module, Google also lets you find a lost or stolen phone.

3. Recent Security Events

Bought
a new phone? Logged in with your Google account on a company-issued laptop?
Google will keep track of these “events” in this special section, allowing you
to stay on top of your activity across devices, and flag any unrecognized
events in case something goes awry. Choosing to generate backup codes (more on
that below) will also be registered as an event, as the image above shows.

4. Two-Step
Verification

Also
known as Two-Factor Authentication (2FA) or Multi-Factor Authentication, this
must-have setting should be enabled on every service that offers it, not just
your Google account. In fact, two-step verification has become a rule of thumb
in recent years. If hackers manage to dupe you with a well-crafted phishing
email, this setting becomes a life-saver: without your second-trusted device to
receive that one-time passcode, hackers can’t break in. If Two-Step
Verification is off, consider turning it on sooner rather than later.

Google
offers additional “factors” of authentication if you follow the link included
in the prompt. These include setting up a Google Prompt (a ‘yes-or-no’ prompt,
rather than a code to enter), voice or text message authentication, and even
unique backup codes that you can download or print out to use as authentication
tokens anywhere you go.

The 2-Factor Verification module also offers a quick way to instantly revoke trusted status from your devices that skip 2-Step Verification.

5. Authenticator app

Google
offers even more convenience via a handy Authenticator app that you can grab on
the App Store (iOS) or Google Play Store (Android). Just pick your platform, get
the app on your handset, set up your account in the app and scan the QR code that
Google provides. It’s not necessarily more convenient than entering your
password, since Authenticator involves entering a verification code. But it’s
still a useful option. The best thing about it is you can get verification
codes for every service that supports TOTP (time-based one-time password).
Also, it doesn’t require a network or cellular connection. In case 2FA fails
because your reception is bad, Authenticator comes to the rescue!

6.(Physical) Security
key

Google
advertises its Titan Security Keys as “phishing-resistant two-factor
authentication (2FA) devices that help protect high-value users such as IT
admins.” Using such a key may sound like overkill for the average Joe, but this
convenient USB dongle completely eliminates the need to punch in one-times
codes or passwords. It’s also useful for journalists investigating sensitive
matters, activists, business leaders, and political campaign teams.

7. Third-Party Access

In
the Security Checkup module, Third Party Access lists external (non-Google)
apps and services tied to your Google account. It is advisable to remove any
apps and services that you no longer use or want associated with your Google
account. To learn more about any of the items, click the “i” button to see what
data they collect and how.

In the main Security panel, down below, is a section called “Signing in to other sites,” which lists all the services, including websites, that authenticate you via Google. Keep only the sites and services you use actively. Any site or service you no longer want connected to your Google account should disappear from that list. If one of them gets breached, your password could be compromised.

And
in the Saved Passwords module, you can see (and delete) all the login
credentials you’ve used with third-party sites and services.

8. Set a recovery
phone and / or email

You
want at least one other way Google can reach you in case something suspicious
happens to your account, or you accidentally get locked out. That’s why you can
set a recovery phone, a recovery email, or both. You can do this in the main
Security pane. Select your option and follow the on-screen instructions to set them.

9. Refresh your password

Considering
the frequency with which data breaches are reported and customer credentials
are compromised, it’s a very good idea to give your password a good refresh once
in a while.

Google
is one of the few services that tells you how old your password is. In the main
Security pane, you’ll find a section called “Signing in to Google.” There, you
can change your password and 2-step verification settings. You’ll need to use
at least eight characters, and it’s a good idea to use both uppercase and
lowercase letters, numbers and even special characters (@#$&%).

The
“App Passwords” section lets you set passwords you can use to sign in to your
Google account from apps on devices that don’t support 2-Step Verification.
You’ll only need to enter it once so you don’t need to remember it.

10. Download a copy of
your (Google-collected) data for review

Many
of us have been using Google most of our lives. Considering how many services
it commands and how embedded Google is in everyday life, we can only imagine
how much data the tech giant holds on every one of us. While much of this data
is collected justifiably, so that we can enjoy reliable services like Maps,
it’s still a good idea to review the data and maybe tweak those privacy nobs a
bit.

You can export a copy of your data here. Just select or deselect the services you want or don’t want to be included in the archive and click “Next” at the bottom of the page. Google will begin work on your archive which, according to the search giant, can take hours or even days to complete. An email will then be sent to you with a link to download said archive.

That’s
about it! Feel free to browse around your account’s security and privacy
modules to configure the best settings that work for you. Stay safe out there!