You really should secure your email - now

This substack, Wild Digital Yonder, is intended to run the gamut in topics from high level writings on technology to low level technical walkthroughs and maybe even some technical discussions that most people might not care about. For this, its inaugural post, I’m choosing a fairly high level topic: Security for your email.

Email has become a critical part of life, and for some, it has been for decades now. As more and more of life is accessed through some kind of web portal, it becomes all that more important that the security to those portals is maintained - and sadly, it isn’t always. Frequently, for reasons of supportability and scale, all of these individually implemented web portals fall back to one thing to identify you - your email. Some websites have even thrown away any kind of user database with passwords and now just send you a link to your email when you attempt to login.

Consider the wealth of information that you have stored in services accessible by the internet.

Storing a credit card on a website has become normal, and personal information is easily searched and indexed through public records. There’s also healthcare information, banking information, and everything up through investments, cryptocurrency, and other information that once stolen is very hard to make secret again. As adoption of online services continues to scale up, online identity theft becomes the greatest threat to individuals and their peace of mind.

I started this off saying, protect your email, because so many consumer services today use it as the only way to reset your credentials. Whether you need to reset a simple password, or completely change around your profile and billing information - Email is viewed as a trusted system because it’s easy to implement, and most people now have at least one address.

Take the time, now, to go look at your email – yes, both the one that you use for important things, and even your “garbage account” (yes… some of us have multiples for just that). There are three things I wish everyone would go check out: Multi-factor authentication (MFA), active sessions, and review your privacy settings.

Multi Factor Authentication (MFA)

MFA is table stakes for everything these days, but not all services are at the same level of security as others. Go with the best method available, just make sure it’s some kind of multi factor method. I’m open to discussion, but I think that the further you can go down this list, the better off you are for securing your accounts.

1. Security questions (not really MFA :) )

2. SMS text messages sent to your phone

3. App-based push notifications. (“Is this you? Click here to say yes!”)

4. One-Time Password (OTP) or another “authenticator app” where you get rotating codes with time or sequence based numbers.

5. Device-synced Passkeys - Think of Apple passkeys or Google’s passkeys

6. Hardware authenticator passkeys - Yup, like a YubiKey.

It’s worth noting that not all of these are super-convenient for every user out there, and that I wouldn’t always order this list this way based on the situation you’re looking to secure. Just, for now, please work with the one that’s the best security for you (ideally at passkeys or higher)

Also, for full disclosure, at the time of this writing, I do indeed work for Yubico (maker of the YubiKey) – but I do truly believe that they have their place in everyone’s identity ecosystem.

There’s a world more to write here, but for now, please, just go check on your MFA – and while you’re there, check out your sessions.

Check your sessions

Every good email tool out there should be able to show you your active sessions. In Gmail, it’s down at the lower right hand corner showing you how many “locations” you have mail open. From time to time, it’s easy to forget that you’ve signed into a browser, or that you’ve changed over phone ecosystems and didn’t sign out of mail on that device. These aren’t huge security holes, but they’re worthwhile to audit every blue moon and remove all the sign-ins you don’t recognize or need anymore.

Check your privacy settings

Nearby to the settings indicating where you’re signed in is usually a privacy section. In Google-land, this is in the my account administration area, in other providers it can be buried in settings, or account administration. Privacy controls are constantly evolving. I’d recommend that you check them as often as you check your credit score online for inconsistencies – once a year, or when you see anything that’s odd.

This all feels like perhaps a lot to check on, but as I said earlier, email is today’s most trusted fallback for online identity. It’s important to keep up with changes as new features evolve. Not all features will be welcome!

Check back here as I continue to write up opinions and views on the technology world, especially as it relates to business.

Thank you for reading!

Update and edit (2025-09-01):
August 15th was an incredibly opportune time to publish this, assuming that you read it and took action! - This Newsweek article published on Sept. 1 outlines how a hacker group that’s been labeled “ShinyHunters” breached Salesforce databases and is using the data to phish customer data from Google. While this may not affect the everyday gmail user, many contractors still operate out of personal accounts. Please go check your MFA and set it up by any means possible today. (Preferably passkeys!!!)