Questions: Online Account Management

With 2FA enabled, a password alone is insufficient. An authenticator app generates time-based codes on your physical device — to log in, an attacker would also need your phone in hand. This is the core protection 2FA provides: even if they obtain your password (something you know), they cannot proceed without the second factor (something you have). Remote attacks that steal passwords are stopped cold.

SMS 2FA is better than no 2FA, but it has a known vulnerability: SIM swap attacks, where an attacker convinces your mobile carrier to transfer your phone number to a device they control. They then receive your SMS codes. Authenticator apps generate time-based codes locally using a cryptographic seed — an attacker needs physical possession of your device. This is a meaningful security difference, especially for high-value accounts.

Answer: True

Email is the master key to your digital identity. If an attacker compromises your email account, they can trigger 'forgot password' resets for every other account you own — banking, social media, shopping, and more. Protecting email with 2FA matters more than 2FA on any single downstream account.

Answer: False

Inactive accounts remain security liabilities. When a service gets breached, your old username and password combination gets exposed. Attackers use those credentials in 'credential stuffing' — automatically testing them against active services (banking, email, etc.). Old accounts also retain personal data that can be misused. Deleting unused accounts reduces your attack surface even if you never think about those accounts anymore.

Security in layers means each factor eliminates a category of attack. A strong password stops guessing attacks. 2FA stops remote attacks that obtain the password by other means. Together they require an attacker to both know your secret AND physically possess your device — a far higher bar that eliminates the vast majority of real-world account compromises.