Lock down your Bluesky account

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. Did a friend share this newsletter with you? You can subscribe on LinkedIn here or through our website here.

First, it’s that time of the year again. Amid elevated threats to press freedom, while Congress also moves to potentially strip away the tax-exempt status of targeted nonprofits, we appreciate your help in rising to the challenge. If you can support us, every bit helps: https://freedom.press/donate/

Bluesky is taking off — but account security is still improving

This month a ballooning number of journalists have migrated to Bluesky, so our team wanted to know about its options for securing accounts. Back in April, Bluesky enabled two-factor authentication, allowing users to require a second piece of information beyond their password to log into their account. While the company says additional forms of 2FA are on its road map, for now the only type available is through a short code sent to your email. Because your email is both used to reset passwords and to receive 2FA codes by default, this is not the most secure form of 2FA. This makes the security of your email account especially important.

What you can do

• We still think any 2FA is better than none, so if you haven’t already, ensure you have 2FA enabled by going to Bluesky’s website, then navigating to “Settings” > “Privacy and security” > “Two-factor authentication (2FA)” and following the instructions. By default, your 2FA codes will be sent to your account email, but you can optionally use a different email for this purpose, which is nice.
• Speaking of which, make sure your email address itself is properly locked down with 2FA, ideally with an authenticator app or a security key, such as a YubiKey. This is especially important on your primary email address(es) because these are used to recover other accounts. Check out our guide to hardening your accounts with 2FA. It includes a demo of how to set up 2FA with Gmail, but a similar process would work on many other popular email providers as well.
• We always recommend using a password manager to create long, unique passwords for your accounts. That way, if an account breach happens on one website, the fallout is isolated just to that one website. Read our guide to choosing a password manager.

Updates from our team

• Speaking of 2FA, when you’re at work, your team probably uses shared accounts. In our most recent advice column, my colleague Davis Erin Anderson walks through considerations for sharing passwords and 2FA codes with your teammates. Read her post.
• While you’re shopping this month, we have some ideas about gifts for your journalist friends. Read our security gift-giving guide.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best, Martin

–

Martin Shelton Deputy Director of Digital Security Freedom of the Press Foundation