Securing your email address

Keeping the email account registered to your DSF account safe is the single most important thing to secure your account. This is because someone with access to your email account can potentially gain access to your DSFR account.

With access to your email account an attacker can:

Request your username.

Reset your password (can be prevented if you enabled a Master Key).

Request to bypass your Two-factor Authentication (2FA) method (requires your Master Key).

Change the email address registered on your DSFR account.

What can I do to keep my email safe?

1. Use a strong and unique password

Your password should be randomly generated, longer than 16 characters, and preferably generated and stored by a password manager. It must not be shared between multiple services. No matter how complex your password is, if you use the same password on different platforms, your risk having your password compromised on a poorly protected site and reused on all your accounts.

A password manager is a tool that creates and stores passwords for you, so you can use different passwords on different sites and services without having to memorize them.

They generate strong and complex passwords that humans are unlikely to guess.

For more about password managers, see the Electronic Frontier Foundation’s (EFF) resources on password security.

2. Add Two-factor Authentication

The most effective method is to enable 2FA on your email account. When 2FA is enabled, any sign-in attempt on your account requires an extra passcode to be entered in addition to the username and password. This extra passcode is usually stored in an app on your phone and is regenerated every 30 seconds. It is also possible to use a security key such as a YubiKey.

We strongly recommend that you use a non-SMS 2FA method on your email account. Read more about why in our security advisory on mobile phones.

For a list (not maintained by us and may be incomplete) of email providers that support 2FA, click here. If you are not sure if your email provider supports 2FA, check their help documentation or contact their support staff.

3. Turn off email recovery options

Many email providers offer options to recover access to your email account in case you get locked out or forget your password. Often they allow you to set up a secondary email account for recovery or use the phone number registered to receive an SMS or phone call. Both of these options can be abused and we strongly recommend not setting either of them up.

You would be surprised how easy it is to clone a SIM card or for an imposter to call your phone service provider and convince an agent they are speaking with you. If you have your phone number registered on the email account, remove it or turn it off as a recovery option.

See our Security advisory for mobile phones for more details.

4. Check account settings and activity

Check your email settings to make sure that nobody has set up email forwarding to another email address that you are not aware of it.

Check your recent email account activity and details of all sign-ins. In your account activity overview, you may be able to see if anyone else is signed into your account.