Layered Security Model: Think in Controls, Not in Luck
Crypto security works best as a layered model: if one layer fails (a stolen phone, a phished password, a SIM swap), other layers still prevent account takeover or unauthorized withdrawals. Your goal is to reduce single points of failure by combining: (1) secure devices, (2) strong unique passwords stored safely, (3) strong 2FA, and (4) reliable backups and recovery materials.
Use the checklist below as a baseline. Treat it like a minimum standard before you add more advanced measures.
Baseline Security Checklist (Minimum Standard)
1) Device Updates: Patch First, Then Log In
Most real-world compromises exploit known vulnerabilities. Updates close those holes.
- Enable automatic OS updates on your phone and computer.
- Update browsers (Chrome/Firefox/Safari/Edge) and remove unused extensions.
- Update critical apps: authenticator app, password manager, exchange apps, wallet apps.
- Restart regularly (weekly) to apply pending patches.
Practical step-by-step (phone):
- iOS: Settings → General → Software Update → Automatic Updates → turn on.
- Android: Settings → System → System update → enable auto-download/auto-install if available.
2) Screen Locks: Stop Casual Theft From Becoming Account Theft
A strong screen lock prevents someone who physically has your device from opening your apps, reading your email, or approving logins.
Continue in our app.
You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.
Or continue reading below...
Download the app
- Use a long PIN (6+ digits; 8+ is better) or an alphanumeric passcode.
- Enable biometric unlock for convenience, but keep a strong PIN as the real barrier.
- Set auto-lock to 30 seconds–2 minutes.
- Disable lock-screen previews for sensitive notifications (2FA codes, email).
Practical step-by-step:
- Set a new PIN/passcode.
- Turn on “Erase data after X failed attempts” if your device supports it and you have backups.
- Enable “Find My” / “Find Device” and remote wipe.
3) Encrypted Storage: Assume Devices Get Lost
Encryption protects data at rest. Modern iOS and Android devices are encrypted by default when a passcode is enabled; computers may require enabling full-disk encryption.
- Phone: ensure a passcode is set (this typically enables encryption).
- Mac: enable FileVault.
- Windows: enable BitLocker (or Device Encryption where available).
- Backups: ensure backups are encrypted (especially computer-based phone backups).
Practical step-by-step (computer):
- macOS: System Settings → Privacy & Security → FileVault → Turn On.
- Windows: Settings → Privacy & security → Device encryption or BitLocker → Turn On.
4) Avoid Rooted/Jailbroken Devices (and “Debloated” ROMs)
Rooting/jailbreaking weakens the security model that protects apps and secrets. It can also break hardware-backed key storage and make malware persistence easier.
- Do not use rooted/jailbroken devices for crypto accounts.
- Do not install unknown APKs or apps from unofficial stores.
- Do not grant accessibility permissions to random apps (a common takeover method).
Quick self-check: if you can’t receive official OS updates, or you installed a custom ROM, treat the device as untrusted for crypto.
Passwords: Unique, Long, and Stored Correctly
What “Strong Passwords” Actually Means
A strong password is not just complex; it’s unique and hard to guess even if attackers know your personal info. The biggest risk is password reuse: one breached site can lead to exchange/email takeover.
- Unique per account (email, exchange, password manager, everything).
- Long (16+ characters for generated passwords; 4–6 random words for passphrases).
- Not based on personal info (names, birthdays, favorite teams).
Password Managers: Why They Matter
A password manager helps you generate and store unique credentials without relying on memory or insecure notes. It also reduces the temptation to reuse passwords.
- One strong master password protects the vault.
- Auto-generated passwords for each account.
- Secure notes for recovery codes and backup instructions.
Practical Step-by-Step: Create Unique Credentials and Store Recovery Codes
- Choose a master passphrase you can type accurately: 5–6 random words is a good target. Avoid quotes, lyrics, or common phrases.
- Enable 2FA on the password manager (prefer authenticator app or hardware key).
- Generate a unique password for your primary email account (since email resets everything). Use 20–30 characters if allowed.
- Generate unique passwords for each exchange and any related services (tax tools, portfolio trackers, etc.).
- Store recovery codes (for email, exchanges, password manager) in the password manager’s secure notes and an offline copy (see backup hygiene below).
Example of a generated password (do not copy): vM7!qP2#Lx9@Rk1$Tn6^aZ3
Example of a passphrase style (do not copy): orbit-lantern-velvet-sparrow-cactus
Recovery Codes: Treat Them Like Keys
Many services provide one-time recovery codes when you enable 2FA. These codes can bypass 2FA if you lose your device. If an attacker gets them, they can often take over your account even without your phone.
- Do not store recovery codes in your email inbox.
- Do not screenshot them and leave them in your photo gallery.
- Do store them in an encrypted password manager and an offline backup.
2FA Options: Trade-offs and Best Practices
2FA (two-factor authentication) adds a second proof beyond your password. It’s one of the highest-impact controls you can implement, but the type of 2FA matters.
| 2FA Method | Pros | Cons / Risks | Best Use |
|---|---|---|---|
| Authenticator app (TOTP) | Works offline; widely supported; stronger than SMS | Phone loss can lock you out if not backed up; phishing can still trick you into entering codes | Default choice for most accounts |
| SMS codes | Easy to set up | Vulnerable to SIM swap, number porting, and carrier attacks; messages can be intercepted | Only if no better option exists |
| Hardware security key (FIDO2/WebAuthn) | Strong phishing resistance; no codes to type; very hard to remotely steal | Costs money; requires compatible devices; must manage spare key | Best for email + exchanges when supported |
Authenticator Apps (TOTP): Practical Setup
TOTP generates time-based codes. To avoid lockouts, you must plan for phone loss.
- Enable TOTP 2FA on the account (email first, then exchanges).
- Scan the QR code with your authenticator app.
- Immediately store the setup secret / backup key if the service provides it (some show a text key). Store it in your password manager secure notes.
- Save the service’s recovery codes offline (see backup hygiene).
- Test: log out and log back in to confirm 2FA works.
Important: If your authenticator app supports encrypted cloud sync, decide deliberately. Sync can improve recoverability but increases reliance on that cloud account. If you use sync, secure the cloud account with a strong password and strong 2FA (prefer hardware key).
SMS 2FA: If You Must Use It
If an account only supports SMS, reduce exposure:
- Use a strong account password and ensure email is strongly protected.
- Harden your mobile carrier account: set a port-out PIN, account passcode, and remove weak recovery options.
- Watch for SIM swap signals: sudden loss of service, “SIM changed” notifications, unexpected password reset texts.
Hardware Security Keys: Strong Option for High-Value Accounts
Hardware keys (FIDO2/WebAuthn) are physical devices you tap or insert to approve logins. They are highly resistant to phishing because they verify the website domain.
Practical step-by-step (recommended approach):
- Buy two keys: a primary and a spare.
- Register both keys on your primary email account and exchanges that support them.
- Store the spare key in a separate secure location (not in the same bag as your primary key).
- Keep recovery codes even when using keys.
Tip: If an exchange supports both hardware keys and authenticator app, consider using a hardware key for login and keep TOTP as a backup only if the platform allows safe configuration.
Backup Hygiene: Seed Phrases, Recovery Codes, and Physical Resilience
Offline Storage: Keep Critical Secrets Out of Screens
Backups are not only about convenience; they are your last line of defense against device loss, theft, or account lockout. The most sensitive items (seed phrases, recovery codes, backup keys) should be stored offline to reduce exposure to malware, cloud leaks, and accidental sharing.
- Write down seed phrases and recovery codes on paper or engrave/mark them on a durable medium.
- Do not store seed phrases in: photos, email drafts, cloud notes, chat apps, or unencrypted files.
- Do not print at work or on shared printers.
Multiple Physical Locations: Reduce Single-Event Risk
One backup can be destroyed by one event (fire, flood, theft). Use redundancy without increasing exposure.
- Create two offline copies of critical recovery materials.
- Store them in two separate secure locations (e.g., home safe and a second trusted location).
- Do not store both copies together.
Protect Against Fire/Water Damage
Paper is vulnerable to fire and water. Improve survivability:
- Use a fire-resistant and water-resistant container for paper backups.
- Consider a durable backup medium designed to survive higher temperatures and moisture (metal-based storage).
- Use sealed bags (waterproof pouches) inside a safe to reduce humidity damage.
Backup Inventory: What to Back Up (and Where)
| Item | Where to store | Notes |
|---|---|---|
| Password manager master passphrase | Memorized + optional sealed offline reminder | Do not store plainly; if you must, store a hint only you understand |
| Password manager recovery codes | Offline copy + encrypted vault | Offline copy helps if vault access is blocked |
| Email recovery codes | Offline copy + encrypted vault | Email is the reset point for most services |
| Exchange recovery codes | Offline copy + encrypted vault | Needed if 2FA device is lost |
| Authenticator setup secrets (if provided) | Encrypted vault + offline if you choose | Handle like a key; it can recreate your 2FA |
| Seed phrases | Offline only (primary + duplicate in separate location) | Never digitize; treat as highest sensitivity |
Security Rehearsal Exercise: Simulate Losing Your Phone
This exercise tests whether your layers actually work. Do it when you have time and focus. The goal is to confirm you can regain access without weakening protections.
Preparation (Before the Simulation)
- Ensure you have your offline recovery codes available (sealed envelope or secure container).
- Ensure you have access to a second device (spare phone/tablet or a computer).
- Know where your spare hardware key is (if you use one).
Scenario: Your Phone Is Lost or Stolen
Step 1: Contain the damage
- From another device, use your phone’s “Find My” / “Find Device” to mark it as lost and attempt remote lock.
- If you believe it’s stolen, initiate remote wipe when appropriate.
- Change the password of your primary email account (from a trusted device) if you suspect compromise.
Step 2: Restore access to your password manager
- On a trusted computer, sign in to your password manager using your master passphrase.
- Complete 2FA using your spare method (spare hardware key, recovery code, or other configured backup).
- Verify you can view stored recovery codes for email and exchanges.
Step 3: Restore 2FA capability
- If you use an authenticator app without sync: install the authenticator app on a replacement phone and re-enroll accounts using saved backup keys or account recovery processes.
- If you use hardware keys: register the replacement device/browser and confirm the key works for login.
- Use recovery codes only as a bridge to re-establish strong 2FA, then generate new recovery codes.
Step 4: Regain access to email (the reset hub)
- Log in to your email with the password manager.
- Complete 2FA via hardware key/authenticator/recovery code.
- Review account security: recent logins, forwarding rules, recovery email/phone numbers.
Step 5: Regain access to exchanges and verify withdrawal protections
- Log in to each exchange using stored credentials.
- Confirm 2FA is still enabled and is the method you expect.
- Verify withdrawal protections are still enabled (for example: withdrawal address allowlist/whitelist if you use it, withdrawal confirmations, anti-phishing code if supported).
- Check for changes: new withdrawal addresses, API keys you didn’t create, altered security settings.
- If anything looks wrong, freeze withdrawals (if the platform supports it) and contact support immediately.
Step 6: Rotate what might be exposed
- Generate new recovery codes for email/exchanges and replace your offline copies.
- If SMS was involved anywhere, contact your carrier to re-secure the line (port-out PIN, account passcode) and consider migrating away from SMS 2FA where possible.
Rehearsal Checklist (Print-Friendly)
- Can I access my password manager from a second device?
- Do I have a working second factor if my phone is gone (spare key or recovery codes)?
- Can I log into my email and confirm no forwarding rules were added?
- Can I log into each exchange and confirm 2FA is enabled?
- Are withdrawal protections still enabled and unchanged?
- Can I rotate recovery codes and store the new ones offline in two locations?
