New Ways to Keep Your Online Accounts Safe
As cybercrime evolves, the strategies you use to protect yourself need to evolve, too.
Last year, in one of the largest data breaches in history, more than 16 billion log-in credentials were exposed from Apple, Facebook, Google and other platforms. Add that to the long list of recent cyber threats putting your personal online accounts at risk.
All told, the internet privacy and security company NordVPN reports that more than half of Americans say they’ve been the victim of a data breach. And two-thirds suspect their personal information could be for sale on the dark web. Advances in technology make these cyberattacks increasingly easy to execute, says Robert Raymond, first vice president at HUB Private Client, a high-net-worth insurance provider.
"It used to be that all of this criminal activity was done by hobbyists who were tech experts. Now you can be a nobody," using software from the dark web, he says. The result is that the traditional steps you may be taking to protect yourself — say, using varied and complex passwords as well as two-factor authentication — are likely no longer sufficient to thwart the bad guys.
From just $107.88 $24.99 for Kiplinger Personal Finance
Become a smarter, better informed investor. Subscribe from just $107.88 $24.99, plus get up to 4 Special Issues
Sign up for Kiplinger’s Free Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
According to a 2025 report from the Federal Bureau of Investigation, Americans lost $16 billion to internet crime in 2024, a 33% increase from the year before, with adults over age 60 filing the most complaints. Meanwhile, a November 2025 study from the financial industry research group PYMNTS Intelligence found that 30% of victims never recover a dime.
Fortunately, just as tech developments have enabled cybercrime to grow, there are now more technologically sophisticated ways to fight back. Here’s what experts advise.
Set up multifactor authentication.
For years, two-factor authentication — say, having to enter a one-time-use code, sent by e-mail or text, in addition to your password before you can log in — has been the gold standard in protection.
Experts say that’s not exactly true anymore. "Two-factor has evolved," says Michael Sherwood, vice president of consumer product at cybersecurity company Malwarebytes. The new iteration is multifactor authentication, or MFA, which mostly relies on more than two steps — maybe requiring a password and code sent to your phone, but one that can only be accessed with your fingerprint or an app. Some forms require using more than one device, such as a push notification sent to your phone when you log in to an account on your laptop.
"The fact that you’re asked to show that you’re the same person on two different systems that are uncorrelated gives confidence that it’s really you," says Ran Canetti, codirector of the Center for Reliable Information Systems and Cyber Security at Boston University.
If you’re prompted to set up multifactor authentication at a trusted site when you log in, it’s smart to do so, experts say. Or go to the security settings on your account; if multifactor authentication is supported, you’ll be able to find and enable it.
Download an authenticator app.
These apps are one of several methods used in MFA to verify your identity. They work by generating a new code, typically on your mobile device, each time you log in to an online account. After you enter your password, you’ll get a prompt to enter the code. This is more secure than verification protocols that use e-mail or text messages, which can be intercepted by criminals.
Typically, each code is good for only 30 seconds, which further narrows the window of opportunity for crooks, says Eva Velasquez, CEO of the Identity Theft Resource Center, a nonprofit organization.
"If someone’s trying to brute-force their way in, the codes aren’t good for long." How you access an authenticator app depends on your mobile device platform and manufacturer.
Options include using built-in authenticator software or downloading an app such as Cisco’s Duo Mobile from Apple’s App Store or Google Play.
Enable biometric identification.
Biometric identification uses unique physical characteristics such as your fingerprints, voice or face to verify you are who you say you are when you log in to an online account.
"I’m not going to say biometric IDs are a silver bullet," Velasquez says. "But they do eliminate an entire source of account access because you can’t self-compromise" — meaning that you can’t easily be tricked into giving a criminal your fingerprint.
You should back up biometric authentication with a secondary means of access, such as a PIN. Then share that method with a trusted individual, such as your spouse, suggests Patrick Simasko, a financial adviser and elder and estate law attorney in Mount Clemens, Michigan.
Otherwise, he says, if you suddenly die or become incapacitated with no backup access, "that’s an absolute nightmare for families. They need some other method to get into those accounts."
Use a passkey, when prompted.
A passkey is like a password, but with a lot more sophisticated computer firepower behind it. Each one is unique to your device and to the platform using it, and you have to be in physical possession of your phone, tablet or computer for a passkey to work.
If a criminal gets hold of your username and password, he or she can log in to an account from anywhere; if passkeys are enabled, though, the prompt is pushed to your physical device, which the criminal wouldn’t have.
Each passkey consists of a pair of encrypted keys, one stored on your device and the other on the platform’s server. When you attempt to log in, the remote server sends a cryptographic "challenge," often via text or push notification, to request access to your device. You’ll be prompted to perform an action such as entering a single- use code or using your fingerprint, which sends your device’s half of the passkey back to the remote server to unlock access.
Crucially, because half of the passkey is held by the platform, you can’t access it — which means you can’t give a criminal access to it unwittingly, either. Says Raymond, "A passkey is the best way, I believe, to secure your online identity."
Related Content
Note: This item first appeared in Kiplinger Personal Finance Magazine, a monthly, trustworthy source of advice and guidance. Subscribe to help you make more money and keep more of the money you make here.
