Not necessarily. For many services you will only need to take the extra step when logging in from a new device or in a different manner than you have previously.

The “Lock Down Your Login” campaign, a key public-facing pillar of the multifaceted Cybersecurity National Action Plan (CNAP) announced by the White House in February 2016, is a STOP. THINK. CONNECT.™ initiative led by the National Cyber Security Alliance and developed by a coalition of industry leaders and like-minded organizations working in collaboration with government, who understand the importance of cybersecurity awareness and education. The campaign was built upon a broad, coordinated effort to increase consumer awareness of our individual and collective roles in cybersecurity.

STOP. THINK. CONNECT.™ is the global cybersecurity education and awareness campaign. The campaign was created by an unprecedented coalition of private companies, nonprofits and government organizations with leadership provided by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG). The U.S. Department of Homeland Security leads the federal engagement in the campaign. Learn how to get involved at stopthinkconnect.org. 

Hackers are resourceful, and using just a username and password is no longer enough to keep your accounts secure. Anyone with your username and password can access your account. Locking down your login ensures it’s actually you trying to access your account by offering multiple forms of verification by using a security key or physical feature such as a thumbprint or entering a one-time code through an app on your mobile device. In addition, many people use the same password for several accounts, making your accounts even more vulnerable to cybercriminals. 

Strong authentication – goes beyond just a username and password and is a way to lock down your login that typically includes multi-factor or two-factor authentication. It helps you prove you are who you say you are by providing multiple forms of verification – like something you know, have and/or are. You already do this in your everyday life. Examples include showing multiple forms of ID when completing your I-9 form at a new job and using an ATM that requires your bank card (something you have) and a 4-digit PIN (something only you know)

Yes! While no security measure is foolproof, adding a layer of protection beyond just a username and password makes it significantly harder for hackers to access your online accounts and personal information.

No – most of the popular online accounts and services offer strong authentication technologies for free. 

No – many popular online services and websites have made locking down your login quite easy. Take a look at the “How to Turn It On” section for a step-by-step guide to enabling strong authentication on a variety of services. A better-protected account could be just a few clicks away. 

Most of the time, turning on strong authentication will be as simple as downloading an app or submitting your phone number. For more information about how your information is collected and used by a website, service or app, check the company’s privacy policy.

Biometrics, such as fingerprints, facial recognition, voice recognition, or iris-scans, are increasingly being used to protect your account. The security of storing biometric information can vary. For example, when unlocking a phone with a fingerprint, the phone typically uses and stores a representation of the fingerprint, locally affording users more control over their biometric data.

Biometrics used to access online accounts may be handled differently. They may be stored locally or centrally—in the cloud or on a company’s servers. For example, the FIDO Alliance is an industry group that establishes strong authentication standards. Web services and apps using the FIDO standard store biometric data locally on your device, where it can be better protected from hackers attempting to breach the services that you use. Other approaches capture biometric data locally and transmit it over a network to another location for storage.

You should be aware of how companies capture, transmit and store your biometric data by reading the company’s privacy policy and understanding where your biometric data may be stored.

Not every site or service currently offers a strong authentication option. Always double-check with the company and ask if added protection is available. It may not always be evident at first glance. If a site you use does not yet offer that option, implement password best practices by creating a strong password that you only use for that site. Contact companies to let them know that you care about security and request they add strong authentication options. You can find more information and online safety resources here:  https://www.stopthinkconnect.org/lockdownyourlogin

While many people believe that passwords have outlived their shelf life, passwords are likely to be around for some time. You might still need to use a username and password to log in as part of the strong authentication process. Therefore, it’s important to still create a strong password – a sentence that is 12 characters or longer and is easy for you to remember – for each account you have and that you only use for that site.

For more information about how to secure your online accounts and stay safe online, visit https://www.stopthinkconnect.org. 

All of the facts referenced in the Lock Down Your Login campaign can be found in the research fact sheet at https://stopthinkconnect.org/resources/preview/ldyl-research-fact-sheet.