Check. I was thinking not of the Lastpass reset email, but all the accounts where your account email is your password reset email and all the places where you can't have 2FA (Amazon is a major one that has CC info but no 2FA for the main Amazon store, just AWS). Any email address being used as a password reset for things like that should be 2FA
Which raises the question... which places do I care about and which ones don't I? I realize that depends. If you have a Twitter account worth $50K, then you need to protect it.
http://gizmodo.com/how-i-lost-my-50-000-twitter-username-1511578384If, like me, you hardly ever post and couldn't care less if you lose it, why bother?
But I think a lot of people think that about say their personal email, forgetting that you can use it to get a password reset from your bank, which then gives them the keys to your financial kingdom. Or in the case of the Twitter guy, he didn't think his DNS settings on a domain he was only using to route email really mattered that much.
So... things that need to be locked down
- your password manager
- your email accounts that are linked to anything sensitive or linked to anything that is linked to something sensitive (banking).
- DNS
- server admin/hosting
- financials - banking, investments, pension funds
What am I missing? So many of these accounts don't have any additional verification still and in some cases the additional verification is an emailed code, so if your email goes, you're screwed.