Do not store secret keys on unencrypted filesystems in any situation. If you have a MacBook, you must enable FireVault. Recommend storing backup phrases in a secure storage such as a lockbox. You may use Signal (notes to self) to store API keys and Client Secrets.
Do not store passwords on your development machine filesystem if that directory is connected to a cloud storage system (such as OneDrive or DropBox). Do not store passwords in emails.
For all firm accounts that involve crypto assets, finance information such as bank apps, and cloud data storage applications such as GDrive, Notion, OneDriver, Github you are required to ensure MFA is set up for your accounts. Favor Virtual Authenticator level security over phone numnber as the second factor. But be sure to put a phone number backup method.
Have multiple phones scan your Google Authenticators - if your device gets lost or stolen you are not blocked. When you scan on one phone, scan on the other phone. DO NOT SEND YOUR GOOGLE AUTHENTICATOR SEED QR OR BACKUP CODES OVER AN INSECURE INTERNET CONNECTION.
If you are getting an airbnb make sure you have 2FA set up for your account. This is important for accounts that that you are sharing location data with.
As a good practice reach out to Airbnb host ahead of time to confirm that their location is suitable for the trip One example is if there is a gated entry, keep the code of any electronic pin locks offline If it is a physical key, ask ahead of time if you are required to meet them at some location for them to give you the key, of if there is a lockbox, or if you have to talk to the owner of the convenience store 3 blocks over.
When traveling at transit stations, Airports, Airbnb’s be aware of your Wifi connection. Because you do not control the Wifi configuration it is not recommended to use the Host wifi. Especially if the password is shared on the Airbnb description. When in doubt use your company cellphone hotspot. If your hotspot is not working and you require internet access, (in this order do the following) close all sensitive work related applications (Force quit on Mac, end process on Windows), then start VPN with secure settings, and then connect.
At least once a week, designate between 30 and 60 minutes to go through the following Go into your mobile or web app settings (typically under security) and spot check the list of active sessions on version control applications such as Github, Gitlab messaging applications such as Telegram, Slack, Microsoft Teams Cloud storage accounts such as Drive, Dropbox, Email If an account has sessions on devices that are unrecognized, file a report and include necessary media attachments such as screenshots, exported logs, description, dates of discovery, timestamp of initial occurrence.
Store a copy for yourself offline
Tip on reconciliation: There may be situations where you detect a false positive. At this point you would compare details of session such as device details, IP address, browser agent, mobile device identifiers such as OS version with previous records.
When in doubt ask a team member for clarification. Procedure for setting up MFA accounts based on authentication style. Note, depending on application, they may provide 1 or multiple combinations of the following UI flows listed (note: purposely left out phone number based MFA as it is not a strong authentication means - you may be required to register a phone number as a backup option though)
Commonly known in the industry as pins, passcodes, passphrase, decryption key. Choose a pin that you have not used before. Backup by writing to file offline if there is no recovery option. Note: As a rule of thumb: do not store backup on any device that currently has, or in the future will have a synced connection between file system and cloud such as OneDrive, Dropbox, Google Drive. This is because you may inadverdently forget and grant file system access at some point in the future which could place your symmetric key on devices that aren’t protected by firm antivirus software
When uploading the KYC/AML document (typically drivers license, passport, etc) it is Accounts that prompt user to first copy/download a backup code file then scan a QR code on Google Authenticator, Authy, or similar tools