• General guidance document: Passkeys: what you need to know
• Press release: NCSC: Leave passwords in the past – passkeys are the future
• Technical paper: Comparing the security properties of traditional user credentials and FIDO2 credentials for personal use

Below are a handful of quotes from the publications. Please note how strongly worded these statements are. And these are from a governmental cybersecurity organization, which is presumably being very intentional with its wording.

From the “what you need to know” document:

“Passkeys are a more secure alternative to passwords that you don’t need to remember as they are created and managed safely by the software on your device(s). […] The NCSC supports the public adoption of passkeys and recommends using passkeys over passwords wherever available.”

From the press release:

“Passwords are no longer resilient enough for the contemporary world.”

“Passkeys should now be consumers’ first choice of login across all digital services, the UK government’s technical authority on cyber security has announced today (Thursday).

Overhauling decades of security practice, the National Cyber Security Centre […] has taken the decision to no longer recommend individuals use passwords where passkeys are available because passwords lack the relative resilience to modern cyber threats.”

From the paper:

“At all stages of a credential’s lifecycle, and against all commonly observed attacks, FIDO2 credentials including passkeys are as secure or more secure than all forms of traditional MFA for individuals.”

Also of note (from the press release):

“Where a particular service does not support passkeys, the NCSC’s advice to consumers is to use a password manager to create stronger passwords and keep using two-step verification.”

If you want to read the paper (or even just the “Summary and recommendations” section at the end of the paper), a few points on terminology might be helpful:

• The word passkey itself is a colloquial term, and its exact usage varies a bit from one case to another.
• FIDO2 credential is a technical term for what would often colloquially be called passkeys.
• When this paper uses the term passkey it is specifically referring to passkeys synced via the cloud. It uses the terms single-device passkey or device-bound FIDO2 credential to refer to what we might think of as passkeys stored on a single device, not synced to the cloud.
• Sync fabric refers to whatever system is being used to store your passkeys in the cloud and sync them across devices (e.g., Apple Passwords, Google Password Manager, etc.).
• Relying party refers to whatever website or app you’re logging into when using a passkey.

Other Recommended Reading/Viewing/Listening

• Causes We Love: Turning Students into Investors (Bogleheads Conference session, in which I interviewed Cole Mattox and and Dylan Ingerman of First Generation Investors)
• Analyzing the Analysis: How Do AI Portfolio Recommendations Hold Up? from Allan Roth
• Can Millennials Count on Social Security? (in which I was interviewed for the How to Money podcast)
• Why Social Security Faces a Financial Reckoning Just a Few Years From Now from Alicia Munnell
• Social Security is Slowing Down. Here’s How to Get Your Benefits On Time from Mark Miller
• 2 Ways to Actually Reduce Smartphone Use from Cal Newport
• Private Assets May Be Coming to Your 401(k). You Should Know the Risks. from Tara Siegel Bernard (NYT)
• IRS Finalizes Deduction Rules for Tips, Adds 3 Eligible Jobs from Martha Waggoner
• Russia Hacked Routers to Steal Microsoft Office Tokens from Brian Krebs (Don’t use an old router!)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

To be clear, there are other brands of security keys, such as the Titan Security Key from Google. I’ll be referring to YubiKeys in this article though simply because that’s what I’m most familiar with.

With multi-factor authentication via email, SMS, or authenticator app, a major threat is that the user can be tricked into giving the multi-factor authentication code to a malicious party.

Another threat with such multi-factor options is the possibility of the code being somehow intercepted (e.g., through SIM swap fraud, as we’ve discussed).

If you have an account for which the only way to log in is with a physical security key, those types of threats are largely eliminated. For a malicious party who is not able to get physical possession of your security key (i.e., almost any remote threat actor), their menu of options for trying to access your accounts is dramatically reduced.

User Experience

The user experience with a security key is going to vary from one website to another. In part that’s because there are, broadly, two different ways in which a security key can be used to log in.

Firstly, there’s the traditional/older method, in which you’d still use a username and password, and the security key would be your method of multi-factor authentication. If using your security key in this manner, to log into a website you would:

• Enter your username and password,
• Connect your security key to your device, then touch the key to activate it.

But security keys (at least modern ones) can also be used for passwordless login (i.e., they can be used to store a passkey or similar FIDO2 credential). In that case, in order to log in you would:

• Enter your username or select an account, if prompted to do so,
• Connect your security key to your device,
• Touch the key to activate it and (if the website requires such) enter the security key’s PIN (discussed below).

With passkeys stored on a security key, you get all the various benefits of passkeys (i.e., phishing protection because they only work on the legitimate domain they were created for, no need for the institution to store a password, easier to use, etc.) and you make the passkeys themselves as secure as possible (i.e., making it as unlikely as possible for a malicious party to be able to use them).

Get More Than One!

If you’re going to use a security key for logging into anything, be sure to buy more than one. If you only have one, and you lose it or it gets damaged, you could be locked out of a bunch of important accounts — permanently in some cases.

Often, three (or possibly even more) is a good idea. One that you use regularly at home, another in a safe at home, and a third in a secure off-site location (e.g., safe deposit box at a bank). That way, even if the two at your home are destroyed (e.g., due to a fire or natural disaster), you still have a backup.

Set Up a PIN (via Yubico Authenticator App)

When using a key for passwordless login, many websites require you to verify yourself on the key (e.g., by entering a PIN). If you haven’t yet set a PIN, you’ll typically be prompted to create one the first time it’s needed.

Personally, after buying a YubiKey, I would encourage you to download the desktop Yubico Authenticator app, so that you can set a PIN (“FIDO2 PIN”) for your key as soon as it arrives at your home.

With regard to selecting a PIN, Yubico notes the following:

“For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all).”

Point being, a PIN doesn’t need password-level complexity. (But still, don’t set it to 123456 or something quite so simple and guessable.)

Generally you’d want to set the same PIN on each of your keys, to reduce the likelihood of getting locked out in an emergency (e.g., you’ve lost your main key, go to the bank to get your backup key, and because it has a different PIN that you rarely use, you can’t remember it). The additional risk from using the same PIN on each is minimal. If a malicious party has one of the keys and has your PIN, the fact that it’s also the PIN to your other keys doesn’t make the situation any worse. Don’t give anybody else your security key or the PIN for your security key.

One last point about setting a PIN: when logging in with the PIN,  you’re attempt-limited, for security’s sake (i.e., so that if somebody manages to get a hold of your key, they can’t simply try over and over to get the correct PIN). If you enter the incorrect PIN 3 times, you’ll have to remove and reconnect the key. After 8 incorrect attempts in a row, the key itself is locked. You don’t have to throw it away, but it will have to be factory reset, in which case all the passkeys stored on the device will be deleted.

Security Keys + Password Managers

When we discussed password managers, we also discussed the common “passwords in a physical notebook” approach to password management. The whole idea behind that approach is that it’s pretty unlikely that somebody is going to get into your house and steal that notebook. And that’s likely true. For most of us, our homes aren’t broken into on a regular basis.

But if you use a password manager and you secure your password manager account with a security key (i.e., your security key is required to log into your password manager), you still have that “somebody would have to steal this physical thing in order to access my passwords” -type of security. Plus, now they’d not only have to steal the physical thing, they’d also have to know the PIN to unlock the security key.

And in addition you get:

• Improved data integrity (i.e., no risk of a coffee spill destroying your record of passwords).
• Improved data availability (i.e., no need to remember to take the notebook with you when traveling).
• The anti-phishing security that results from the password manager not providing a password if you accidentally end up on a fake/malicious lookalike website.
• Secure password sharing for a family.
• The convenience of password auto-fill.
• A secure place to store backup codes for websites.
• A secure place to store fictional answers to “security” questions. (For example, for your auto insurer’s website, when they ask the name of your favorite food, you can store in the password manager that the required answer is “kCbc$A4qjmto4” rather than the true but quite guessable answer of “pizza.”)

What Happens if a Security Key is Stolen?

You should take the physical security of your security keys seriously. Treat them as if they were, very literally, the keys to your accounts. And if you lose one, you should promptly remove that key as a sign-in option from your various accounts (i.e., by signing in via some other method, navigating to your security/sign-in options, and removing the security key that is no longer in your possession).

That said, if one of your security keys is stolen, the thief will probably not be accessing all of your accounts immediately.

Firstly, a thief who has stolen your key would not know, for example, that the key could be used as the multi-factor option for your Vanguard account with username HotBob1972. Even with passkeys stored on the device, access to those credentials is typically gated by user verification (such as a PIN).

Secondly, to use the security key to log into an account, the thief would generally still need either your password (if you were using the key for traditional multi-factor authentication) or the key’s PIN (if you were using the key to store a passkey).

But again, keep those security keys secure (i.e., never give them to anybody else, always be aware of where they’re located rather than leaving them randomly lying around the house). And if you do lose one, promptly remove it as a sign-in option from your various accounts.

Security Key Limitations

Firstly, not all websites allow security keys as a multi-factor authentication method or for passwordless login.

Second, as always, your accounts are only as secure as the least-secure method of accessing the account.

An authenticator app is more secure than SMS or email as a multi-factor authentication method. And a security key is more secure than an authenticator app.

After setting up secure methods, you generally want to remove the less-secure methods of signing in, if the website allows you to do so. (Though again, be sure you have multiple options. If the only way to sign into an important account is with a single physical security key, you’re setting yourself up to be locked out of the account someday.)

Be sure to also examine the account-recovery process for each of your accounts (as distinct from the normal method for signing in). If it’s some insecure method (e.g., a phone call to your mobile phone), the account is still insecure.

Additional Reading

For readers who want additional reading, the following articles from Yubico (the company that makes YubiKeys) may be helpful:

• 10 Things You’ve Been Wondering About a Passwordless World
• A Technical Guide to FIDO2 and Passkeys

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

I only have two more articles planned for the series (hardware security keys and an overall plan to keep yourself and vulnerable loved ones safe), and then we’ll be back to more typical content (though mixing in cybersecurity-related topics here and there, as it really is a core part of personal finance).

In any case, here’s the series so far:

• What Does a Thief Need to Access Your Financial Accounts? It’s Likely Less Than You Think
• It Can Be Easier to Fall Victim to Fraud on Mobile than Desktop
• Authenticator Apps: a Better Multi-Factor Option than Text or Email
• Stop Trying to Remember Your Passwords (And Use a Password Manager Instead.)
• What the Heck are Passkeys? And Should I Be Using Them?

From 2018-2024, losses from cybercrime for people age 60+ went from $649 million to $4.8 billion — a seven-fold increase. (And it’s generally accepted as fact that actual losses are much higher than the reported figures, given that many people never report their losses due to simply not bothering with it or due to feeling embarrassed.)

Last week, the FBI released their annual report with the figure for 2025: $7.748 billion. That’s an increase of roughly 60% in just one year. Here’s what it looks like visually:

And with AI tools being dramatically more powerful this year than last year, I have to imagine the 2026 figure is going to be even worse.

• Cryptocurrency and AI Scams Bilk Americans of Billions from the FBI
• FBI 2025 Internet Crime Report
• Prior years’ reports here, if you’re interested

Other Recommended Reading

• Talking to Mike Piper, Christine Benz about the Pressure of Being Right (and Dealing with Their Own Imposter Syndrome) from Josh Katzowitz
• Wall Street Watchdogs Pull Back Amid Trump’s Deregulatory Push from Nicola White, Katanga Johnson, and J.J. McCorvey
• The Upper Middle Class Trap from Nick Maggiulli
• Creating A Flexible Retirement Date ‘Window’ To Mitigate Sequence And Cohort Risk from Georgios Argyris
• Breakeven Real Rates for Delayed Social Security Claiming from Nathan Dutzmann
• It’s Time to Review Your Beneficiary Designations from Daniel Michaelsen
• Tips for Choosing the Best Healthcare Proxy from Diana Cabrices
• Scott Bessent and Jay Powell Call Meeting with Big Banks to Discuss Cyber Threats from Anthropic’s Latest Model from Samantha Subin and Hugh Son

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

• Confidentiality: access to data should be limited to the appropriate parties.
• Integrity: your data is accurate and has not been tampered with.
• Availability: you have access to the data when you need it.

When most of us think of cybersecurity, confidentiality is primarily what we’re thinking about, but integrity and availability are mission-critical also.

For many people, using a password manager is going to be an upgrade in all three categories, relative to what they’re currently doing.

Confidentiality

Just think of all the different accounts you have, which you would really not want accessed by a malicious party:

• Email accounts,
• Bank accounts,
• Brokerage accounts,
• Credit cards, mortgage lender, or other financial services,
• Credit bureaus,
• MyChart (or other patient portals) for your health care system(s),
• Login.gov,
• Venmo,
• Your providers of health insurance, car insurance, homeowners/renters insurance, umbrella insurance, etc.

The list just goes on and on. And there are probably 100+ other websites with less critical information, but which you’d still prefer somebody else not to access.

For anybody with normal memory capabilities, it’s impossible to remember a unique password for each of those websites.

So, many people resort to one password that gets reused across a bunch of different accounts. This is a train wreck waiting to happen. Credential stuffing is a common form of cyberattack, in which thieves use previously stolen credentials (username/password) on various other accounts. Once your password is stolen, it will be tried on a very long list of other websites. If you reuse the same password on many websites, you now have thieves accessing a whole bunch of your accounts all at once. This is an entirely avoidable scenario, so please don’t let it happen to you.

Alternatively, many people resort to short, easy to remember passwords (e.g., Boglehead123 for their Vanguard account or MagellanLynch1 for their Fidelity account). The problem is that easily remembered passwords are often easily guessed passwords.

The reality that you have to accept at this point is that you aren’t supposed to be able to remember all of your passwords. If you’re still trying to remember them all in your brain, you are almost certainly making major security compromises in order to make that happen.

A password manager allows you to create strong (lengthy and randomly-generated) passwords for each account, which are unique to each account, and it remembers them for you.

Another benefit with respect to confidentiality: a password manager will usually not offer to fill your password if the domain doesn’t match exactly. For instance, if you have a saved username/password for Schwab.com, and someday you accidentally find yourself on a different domain, which is designed to look exactly like Schwab’s website (and thus collect and maliciously reuse your credentials after you enter them), your password manager should not offer to fill your password (because it doesn’t see a saved password associated with the domain you’re currently on).

Integrity and Availability

Some people’s approach to password security is to record all of their passwords in a physical notebook, which is kept in their home. Assuming that the notebook is kept secure, that can do a reasonable job with respect to confidentiality. But that approach often falls short with respect to data integrity. At some point, ink becomes smeared. Or passwords get crossed out with new ones scrunched into the spare space nearby. Legibility declines and we can no longer read the password in question. Or something physically happens to the notebook itself: there’s a fire or natural disaster, or more likely, a beverage is spilled directly onto the notebook.

I’ve also seen that approach fail with respect to availability: whoops, we forgot to bring the notebook with us on vacation. Or your spouse just can’t read your handwriting.

Similarly, I’ve seen people take a post-it note approach to password management (i.e., just sticking post-its on or near their computer with various important passwords). While that approach has confidentiality problems if anybody else ends up near your computer, that approach also can easily fail the availability test if a post-it falls off and gets thrown away.

With a password manager, your passwords will be synced across your devices. As long as you can sign into your password manager, you will have access to your passwords. And no need to worry about your or your spouse’s handwriting.

Password Sharing

Password managers also allow for secure sharing between multiple people (e.g., two spouses on a shared family plan), which has benefits for confidentiality, integrity, and availability.

• Confidentiality: sharing passwords via a password manager is much more secure than sharing them with each other by text, for example.
• Integrity: if one of you updates the password, it will be automatically updated for the other.
• Availability: you can be in different physical locations, while both still having access to your shared passwords.

Which Password Manager?

I’m not going to officially recommend one password manager as opposed to another. Most all-Mac households seem to be happy with Apple’s built-in password manager (known as Apple Passwords on newer devices). 1Password or Bitwarden are also popular and well respected.

LastPass was also very popular, but due to a major breach in 2022, many of the top experts in the field recommend using a different provider. (And if you were using LastPass at the time, you should change every password that was stored in your vault. And if you are still using LastPass even after that breach, you should absolutely change your master password as well.)

As far as the password managers built into Chrome and Edge, opinions vary. Many people consider them to be somewhat of a tradeoff, providing convenience but less security (and fewer features) than a dedicated password manager. Other people argue that the latest versions are meaningfully improved and now essentially as secure as 1Password or Bitwarden.

If you go looking for comparisons of one password manager to another, I’ll just make two observations:

• Many of the articles you’ll find are actually sales pitches in disguise. Many password managers offer “affiliate programs,” whereby they pay a commission to a referring party for each new customer that signs up. If somebody can publish an article that ranks well in search results for “best password manager” or “password manager comparison” — and then the article gets many people to sign up for one of the providers that pays a commission, that can be a substantial revenue stream.
• Among cybersecurity enthusiasts, “should I use Bitwarden or 1Password” is akin to “should I tilt to small-cap value” for Bogleheads. They can talk about it forever, and there are ardent supporters on either side. There are real pros and cons of each. But the key thing to recognize is that either is a heck of a lot better than what many people are doing with their passwords.

Staying Secure with a Password Manager

I want to be clear that simply using a password manager doesn’t in itself make you much safer. Password managers make it convenient to use strong passwords, but if you have existing weak passwords and/or passwords that are reused at a bunch of different places, you have to take the step of updating those passwords to new passwords that are stronger and unique. (The password manager should have a password generator to easily create strong passwords for you.)

It’s also extremely important to recognize that, with a bunch of passwords stored in one place, that one place becomes absolutely mission critical. You need to keep malicious parties out of it. And you need to make sure that you will not be locked out of it.

That means that for your password manager, you want to:

• Use a very strong master password.
• Turn on multi-factor authentication.
• Only use strong methods of multi-factor authentication. (The safest would be a hardware security key such as a YubiKey, of which you have multiples. Hardware security keys will be a topic for another day. But as noted previously, an authenticator app is generally a safer option than MFA by email or SMS.)

When using a password manager, device security becomes even more critical than it would otherwise be. For example, if you take your laptop around with you, and you normally keep yourself signed into your password manager on that device (e.g., via a Bitwarden or 1Password browser extension), you have a very big problem if somebody else gets their hands on that device. For devices that leave your home (or even for devices kept at home, if other people are around on a regular basis), I recommend using a very short screen-lock time, as well as configuring the password manager to lock (thus requiring your master password to be reentered) when the screen locks or the device goes to sleep.

And with respect to not getting yourself locked out, it’s important to recognize that if you forget your master password, many password managers cannot recover it for you. You would be permanently locked out. That’s by design. It’s one part of what makes the system secure. But it means that you should probably have that master password written down on paper somewhere, such as a fireproof safe or in a safe deposit box.

Similarly, your recovery code (which serves as a backup if your normal MFA method is unavailable) should be printed on paper and kept somewhere safe.

If your recovery code and master password are both printed out and kept together in a safe deposit box, this would provide you (or your heirs, when the time comes) with a way to sign into your account.

Password Managers and Passkeys

As discussed previously, passkeys are generally an improvement over traditional passwords, for a variety of reasons (e.g., they’re more resistant to phishing). And your passkeys will generally be stored in a password manager, to be synced across your devices.

As I noted in previous articles though, it’s hard to explain exactly how that works in practice, because it will vary depending on what combination of technology you’re using (i.e., which operating system(s), which browser(s), which password manager(s), and whether or not you’re using hardware security keys such as YubiKey). There are too many possible combinations to give a complete set of answers for everybody.

• Apple Passwords can store passkeys on all Apple devices — and sync them across Apple devices.
• Google Password Manager can store passkeys on any device browsing with Chrome (and sync across all such devices).
• Edge Password Manager can store/sync passkeys on any devices browsing with Edge.
• Third party password managers (e.g., Bitwarden or 1Password) can store passkeys and sync them across devices on which the software is installed (or accessible via an installed browser plugin).

Imagine for instance that you have two devices: a Windows desktop on which you browse exclusively with Chrome and an iPhone on which you browse exclusively with Safari. And you don’t use a third-party password manager. In that case, it would be Google Password Manager storing the passkeys on your desktop and Apple Passwords storing them on your iPhone. And they would not “see” each other’s passkeys. (But even that is okay, because you can just set up multiple passkeys for each website.)

Conversely, if in the above situation you browsed with Chrome on both devices, then Google Password Manager would be syncing the passkeys across the two devices.

Or let’s say you have a desktop Mac and an iPhone. And you use Chrome on both. Then either Apple Passwords or Google Password Manager could be used to store and sync your passkeys. Google Password Manager seems to try to make itself the default when browsing with Chrome, but you can adjust your settings to turn that off (and thus use Apple Passwords) if desired.

And in any of the above cases, if you have a third party password manager (e.g., Bitwarden or 1Password) that you use on all devices, that password manager could instead be used to store/sync passkeys.

But the key things to know are that:

1. It’s okay if you have some passkeys stored in one place and others stored in another place (as in the first example), because you can have multiple passkeys for each website.
2. Anywhere you are storing passkeys and/or passwords should be kept as secure as possible (i.e., using a strong password that is not used elsewhere and using strong multi-factor authentication).

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

As far as how they work behind the scenes (the public key/private key topic), that’s not something that you need to understand deeply (or at all, really) in order to use them and in order for them to improve your security. I simply included it because I know that many of the people who read this blog are the type who do want to understand the mechanics of how things work.

As far as what it’s like (from a user interface perspective) to actually use passkeys, it’s hard to explain universally what the process looks like, because it varies somewhat by website. (For example, when signing into Amazon with a passkey, they still send a 6-digit code by text, whereas most websites will not do so.) And it varies significantly based on what devices/browsers you’re using, as well as based on whether you’re using a separate password manager. For example:

• If you’re an Apple-only household, you browse only with Safari, and you use Apple Passwords to store your passwords, the whole thing will feel pretty seamless, with Apple Passwords storing your passkeys as well.
• If you’re on macOS, browsing with Chrome, and you use Bitwarden password manager, then Apple Passwords, Google Password Manager, and Bitwarden will each want to be the thing that stores your passkeys.

I would encourage you, next time you encounter a website that a) offers the option to use a passkey and b) is a low-stakes website for you so that it does not feel scary, create a passkey and then use that passkey to sign in going forward. Get used to using a passkey on one single website before trying to implement them more broadly.

For me personally, that would be something like target.com or walmart.com. Both of those websites have my name, email, shipping address, and my (not very lengthy nor particularly privacy-sensitive) order history. But neither has stored payment information, neither has my SSN, neither is linked to any financial accounts, etc.

Other Recommended Reading

• The Fallacy of Investing Based on Forecasts from Allan Roth
• An Asset-Liability Mismatch from Ben Carlson
• Dimensional Grafts Vanguard’s Tax-Busting Model Onto Mutual Fund from Katie Greifeld
• What’s Middle Class in NYC? from Ben Carlson
• Private Credit’s Angry Investors Are Showing Its Limits from Paul Davies
• The Best Strategies for Consistent Retirement Spending from Amy Arnott
• How do frontier AI agents perform in multi-step cyber-attack scenarios?
• Banks Are (Trying to Become) Bulwarks for Vulnerable Seniors from Paula Span (NYT)
• The Biggest Benefits Come from Consistency, Not Complicated Programs from the American College of Sports Medicine’s Updated Guidelines for Resistance Training

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

A very short summary is that when signing in with a passkey, the authentication happens on your own device. So if I’m signing in via passkey, my device essentially asks, “hey user, prove to me that you’re the person who is allowed to unlock this device.” Once I do that (e.g., by PIN or fingerprint), the message the device sends to the other institution is basically, “this device has verified the user, and they have access to the passkey for this account.” So it has benefits such as:

• No reusable secret information is being transmitted.
• The institution doesn’t have to store any secret information (i.e., password).
• It has the potential to eliminate the risk of somebody guessing/stealing your password, because somebody would have to be in possession of your device and be able to convince the device that they’re you.
• It’s resistant to MFA-code phishing (such as in the John/Rachel example), because there’s no code to share in the first place.
• It’s also resistant to fake-website phishing attempts (e.g., somebody buying Vamguard.com and putting a site up that looks exactly like Vanguard, with a login page to collect login credentials), because passkeys are tied to a specific domain, so they won’t work on look-alike sites like Vamguard.com.
• It’s (usually) easier to sign in with a passkey than with a password, and passkeys eliminate the hassle of resetting passwords due to forgetting.

How Do Passkeys Work?

When trying to understand how passkeys work, it’s helpful to keep in mind the goal. The goal is to have a system in which a user can sign into a website or app without having to transmit any secret information. All of the secret stuff lives on the user’s own device. And everything that gets transmitted, and any login-related info that’s stored on the website’s server is safe if anybody else sees it.

But how can you log into a website without sending them your password or some other secret information? That is, if you don’t have to transmit any secret information to the website (i.e., if only “public” information is necessary), how can the website make sure that nobody else can sign into your account? To create a system that works in such a way requires fundamentally rethinking the entire process.

And that’s what passkeys do. They solve those problems.

And broadly, the idea is that the “proving you’re who you say you are” process happens locally, on your own device.

We’ll go through it step-by-step (i.e., what happens when you create a passkey, and then what happens when you use that passkey to log in).

But first we have to start with one piece of jargon.

What is a “Challenge?”

In order to understand passkeys, you have to understand what a “challenge” is.

You can think of a challenge as a formalized “who are you, and please prove it” request.

An “unsigned challenge” is what the server sends to you. For example, if you’re on your bank’s website and you click “log in with a passkey” or if you’re already signed in and you click a link to create a new passkey, your bank will send an unsigned challenge to your browser.

And what your device will eventually send back to the server is a “signed challenge” (along with some other information). We’ll get to how a challenge is satisfied (“signed”) in a moment.

For now, one thing to know about a challenge is that each one has a unique identifier (e.g., challenge #203SNA30DNDQ), and each challenge is one-time-use-only. This is a critical security feature. It means that if somebody managed to spy on your transmission (and were thus able to view the signed challenge that you send to the server in order to log in), they would not be able to simply copy that signed challenge and send it to the server themselves in order to log into your account. The server would say, “sorry, this challenge has already been used,” and the fraudulent login attempt would be rejected.

Magic Pen and Magic Magnifying Glass

With “challenge” defined, let’s take a brief detour for an analogy, to explain the other major parts of the passkey ecosystem.

Imagine you have a magic pen. It writes in normal-looking ink. But you also have a magic magnifying glass. When this magic magnifying glass is used to examine something that was written with your magic pen, the ink glows sparkly purple. When it looks at anything written with any other ink (i.e., not written by your magic pen) the ink just looks normal.

There’s no way to “reverse engineer” the magic pen from the magic magnifying glass. In other words, if somebody were to have the magnifying glass, there’s no risk that they could create a copy of your magic pen.

So you give magic magnifying glasses to all of your friends. That way, any of them can see whether a message was really written by you, with your magic pen. Fun! And you can give out as many of these magnifying glasses as you want, because again, nobody can recreate your magic pen just by having one of these magnifying glasses.

What Happens When You Create a Passkey

When you’re signed into a website or app, and you choose to create a new passkey, the server will send your device a new unsigned challenge.

Your device takes that unsigned challenge and creates three new things:

1. A private key.
2. A corresponding public key.
3. A credential ID. This is just a public identifier for the passkey (e.g., your new passkey is passkey #22093948310930).

The private key is the secret thing. The private key lives on your device (or is synced securely across your devices via your Apple/Google/Microsoft account) and is never sent to the server. The private key is your magic pen, and it can be used to sign a challenge.

The public key is unique and linked to the private key. The public key is the magic magnifying glass. It’s essentially a testing tool. When somebody has the public key, they can use it to test the signed challenge to see if it was signed with the private key (magic pen) that corresponds to that public key (magic magnifying glass).

An important point here is that there is no way for somebody to look at a given public key and determine the corresponding private key. So it’s absolutely no problem if somebody were to intercept your public key. Just like with the magnifying glass, you could give out your public key to as many parties as you want, with no security risk.

After your device creates these three things (private key, public key, credential ID), it uses the newly-formed private key (magic pen) to sign the challenge. And it sends the public key, the credential ID, and the signed challenge back to the server. It does not send the private key to the server.

The server then stores the public key and credential ID and associates them with your specific user. (Remember, you’re already logged in before beginning the process of creating a passkey, so it already knows who you are.)

So at this point:

• You have a private key (magic pen) stored on your device.
• And the server has a public key (magic magnifying glass) and a credential ID, both of which are now associated with your user.

What Happens When You Log in with a Passkey

When you initiate the process to log in with a passkey, your device first checks: “Do I have a passkey saved for this app/website?”

This step is itself a valuable security measure. It means that if you ever accidentally visit a fake website (e.g., you fell for the first part of a phishing attempt, clicked the link in the email, and are now on usbamk.com rather than usbank.com), your device will immediately stop the process. It doesn’t have a passkey associated with this domain. Disaster averted. (Though seriously, please don’t click that link in the first place.)

If your device sees that it does have a passkey for the website/app in question, the website/app sends an unsigned challenge to your device.

Your device then goes through some process to satisfy itself that you are you. This might be entering your device PIN or providing some biometric identifier (e.g., fingerprint).

Once your device is satisfied that you are you, it uses the stored private key to sign the challenge.

And your device then sends the signed challenge, the credential ID, and your username to the server. Again, it does not send the private key. (Also note: your PIN/fingerprint is never transmitted to the server either.)

The server then:

1. Checks that the username provided exists in the system,
2. Checks that the credential ID a) exists in the system and b) is linked to the username in question, and
3. Uses the stored public key (magnifying glass) that’s associated with the credential ID in question to test the signed challenge, to make sure that it was signed by the appropriate private key (magic pen).

If all three of those things proceed happily, you’re signed in.

Passkey Limitations

An important issue to be aware of is that, at least as of right now, when websites let you use passkeys, they usually let you sign in using the passkey or a password. So the weak password/stolen password path of attack still works. Ideally we’d see websites that let you implement passkeys and then make it impossible to sign in with a traditional password. But so far, that sounds scary to many users because passkeys are unfamiliar. Hopefully that changes over the coming years as more and more people use them.

In addition, there’s messiness where everybody wants you to use their passkey ecosystem. So if you’re browsing on Chrome on an iPhone, and you visit a website for which you already have a passkey set up (via Apple), Chrome might prompt you to create a new one — which can feel very confusing. Fortunately, you can usually create a bunch of passkeys for the same website, so you can have one for each device/browser combination, for each website.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

1. At one of the spectrum are strategies that spend a certain dollar amount (or more often, a certain dollar amount, which is then adjusted for inflation each year). The classic “4% rule” strategy is in this category. Strategies like this provide for predictable spending but allow for potential portfolio depletion if investment returns are poor (especially in the early part of retirement).
2. At the other end of the spectrum are strategies that spend a percentage of the portfolio each year. Strategies in this category are safer in the sense that they cut spending when portfolio performance is poor and thus reduce/eliminate the possibility of depleting the portfolio. But they can result in dramatic volatility in spending from year to year.

And so there are also hybrid strategies. In an article for Kitces, Michael Woloch recently discussed a “modified RMD” spending strategy. Basing spending on RMDs is a percentage-of-portfolio strategy (though itself a specific subcategory, because the percentage increases each year with age). But here the “modification” is that rather than basing spending on a percentage of the portfolio balance on the final day of the previous year, it’s based on the average portfolio balance of the final days of the last three years, with the result being that spending is less volatile from one year to another.

• Reducing Retirement Income Volatility With The Modified RMD Safe Withdrawal Method from Michael Woloch

Other Recommended Reading

• 10 Rules for Dealing with Uncertainty from Ben Carlson
• Preparing without Predicting from Ben Carlson
• ‘Exploit Every Vulnerability’: Rogue AI Agents Published Passwords and Overrode Anti-virus Software from Robert Booth
• Municipal Water District Loses $3 Million to Phishing Scam from Jack Thurston
• Older Workers Embrace Job Hopping – and It’s Good for Their Retirement Prospects from Geoffrey Sanzenbacher
• The Government Is Trying to Rein in Medicare Advantage Costs. Will It Work? from Alicia Munnell
• IRS Proposes Regulations for Trump Accounts, Pilot Program from Martha Waggoner
• Signal Collapse and the New Proof of Work from Nick Maggiulli
• His Father Lost His Life Savings in a Scam. A Fake Lawyer Offered to Help. from Tara Siegel Bernard (NYT)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

• Email
• SMS (text)
• Authenticator app

Of the three, using an authenticator app is definitely the most secure approach. (Hardware authenticators such as a Yubikey will be a topic for another day.)

The Problem with Email as MFA

Email as the multi-factor authentication method is pretty bad. Just think of how many websites you visit where:

1. Your username is your email address, and
2. When you click the “forgot password” link, they just send an email with a reset password link.

If #1 and #2 are true and you use your email as the multi-factor method, if a thief gets into your email account, they can now access any of those other accounts as well.

Granted, a thief getting access to your email account is extremely bad news as it is. We want to take serious precautions to avoid that scenario. But there’s no reason to make that scenario any more disastrous than it needs to be.

SMS (Text) Isn’t Secure

Using SMS (text) as the multi-factor method is not ideal either.

CISA (the Cybersecurity and Infrastructure Security Agency, which is a component of the United States Department of Homeland Security) put out a document in December 2024 that encouraged people to “migrate away from SMS-based MFA.” They note that “SMS messages are not encrypted — a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.” They also note that SMS is not phishing-resistant (see the John/Rachel example).

SIM-Swap Fraud

Another problem with SMS at the multi-factor authentication method: SIM-swap fraud.

Mobile providers can easily “port” a phone number from one device to another. This is commonly done when a customer switches to a new phone (e.g., to upgrade or because the previous device was lost).

In a SIM-swap fraud:

• The thief gathers personal information about the target. As we’ve discussed, a lot of information is simply purchasable. Other assorted information can often be gathered via social media or online searches (e.g., mother’s maiden name may be findable via an obituary posting).
• The thief then contacts the target’s mobile provider and, with clever conversational skills and a bunch of personal (ostensibly private) information, convinces the company to transfer the target’s phone number to the thief’s device.

And now the thief has access to any MFA codes that come in via text. And again, as discussed recently, in many cases that code is all they need, in order to access various critical accounts.

Your mobile provider probably offers a SIM-swap protection feature. Verizon, T-Mobile, and AT&T all provide it free of charge, but it isn’t activated by default. I would definitely encourage you to turn it on.

Even with SIM-swap protection activated via your mobile provider though, SMS is still not the ideal method for multi-factor authentication, because SMS is not encrypted.

Authenticator Apps

Authenticator apps are more secure than SMS or email as the multi-factor method. The authenticator app is installed on your phone and cannot be accessed remotely (short of your phone itself being infected with malware). To get an MFA code from an authenticator app on your phone, the thief would have to:

• Be in physical possession of your unlocked phone, or
• Convince you to give them the code (which is also a potential failure point of email or text-based MFA). And again this is why we have to be super careful with these codes.

Authenticator apps take a bit of time to get used to, but once you’re used to using one, it’s quite easy. I have found Google Authenticator to be easy to use, but there are many other options as well (e.g., Microsoft Authenticator or Authy).

If you’re new to it, do not worry, regardless of which authenticator app you pick, there will be a ton of intro/walk-through videos on YouTube.

When setting up app-based multi-factor authentication, the website may give you the option to store some backup codes. These codes are to be used in case you lose your phone, so do store them somewhere. But of course make sure it’s somewhere safe (e.g., printing them out and storing in a safe or secure filing cabinet).

Removing Less-Secure MFA Methods

After activating multi-factor authentication by app, you may have to manually turn off multi-factor authentication via SMS/email. For many websites, the default behavior is that, if you already had some other method of MFA set up, after setting up MFA via authenticator app, that previous method will still remain as an option. And we usually don’t want that, because it leaves you vulnerable to exactly the types of attacks discussed above.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

With this software, the user (a would-be thief) types in a URL of a genuine website, and when a target visits a selected scam URL, the software loads up an invisible browser window to collect, in real-time, all of the genuine website’s information, which it then passes through to the victim’s browser window. In other words, from the victim’s perspective, everything looks exactly right, because it is literally the same thing showing in your browser.

But it gets crazier from there. Much crazier. The software also passes every keystroke and action from the victim back to the original website — including the MFA code. So from the victim’s perspective, everything is operating as normal, including all of the functionality after logging in, so as not to set off any mental alarms. But the software is collecting all of that information for the thief. And the thief is now logged in as well.

The software also has a full collection of other features, such as URL masking (i.e., making a fake link look genuine).

And it comes with customer support, regular software updates, and a community forum for users.

The takeaway, again: unless you yourself directly typed the appropriate URL into your browser (e.g., vanguard.com, schwab.com, chase.com, etc.), you might not be on the genuine website.

• Phishing Software as a Service (Complete with Customer Support) from Callie Baron and Piotr Wojtyla

Other Recommended Reading

• Retirees: Should You Take RMDs Early in the Year or Wait? from Christine Benz
• Better Conditions Did Not Yield Better Results for Active Managers in 2025 from Bryan Armou
• Some Things That Didn’t Happen from Ben Carlson
• Can You Live Off Your Dividends? from Ben Carlson
• Fear-Based Frugality Can Harm Your Financial Wellbeing from Rick Kahler
• The Truth About 529s and Financial Aid from Ann Garcia
• This Form of Mental Exercise May Cut Dementia Risk for Decades from Jon Hamilton
• Meta AI Alignment Director Shares her OpenClaw Email-Deletion Nightmare from Hendry Chandonnet
• The Rise of Bratty Machines from Elizabeth Spiers (NYT)

Thanks for reading!

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).

I recently received a very clever phishing attempt by email. (In hindsight, I wish I had taken screenshots prior to deleting it.)

Here’s what it looked like in my inbox:

• From: Vanguard Brokerage Services
• Subject: Your Vanguard statement is ready

Looking at the email via my desktop browser, it was very easy to see that it was a phishing attempt.

Looking at the email on my mobile device, however, there was no immediately obvious sign that the email was not legit. Based on everything immediately visible via my mobile mail app, it looked exactly like a genuine Vanguard email.

Looking at the “From” Field

When I viewed the email on desktop, the “from” field was a dead giveaway. While the “name” of the sender was “Vanguard Brokerage Services,” the email address of the sender was complete gobbledygook. Something like “senderx34x3@xyzpayments.info.” Clearly, that’s not actually Vanguard.

On mobile though, the sender’s email address does not appear immediately (at least not on most mobile mail apps). You just see the name. When viewing the email, there will be somewhere you can tap to display the sender’s email address. But you have to go out of your way to actually do that. And of course the percentage of people who do that with every single email is vanishingly small.

Body of the Email

The text of the email was a character-for-character copy/paste of the real statement-notification emails that Vanguard sends, complete with the appropriate images, branding, etc. Everything looked exactly as you’d expect.

The only thing about it that was wrong is that the links that appeared to point to Vanguard’s login page actually pointed to a scam URL. (That is, the “anchor text” of the link was the appropriate URL, but that’s not where the link actually pointed.)

In other words, it was something like this:

https://vanguard.com/

If you look only at the text of the link itself (the “anchor text”) you’ll think the link is going to take you to Vanguard. But it doesn’t. The link points to ObliviousInvestor.com. On desktop, you can see that easily by hovering over the link. Your browser (usually in the bottom corner) will show you where the link points. (Though even this can be spoofed. So as with the email address, if it looks suspicious, it definitely should not be trusted. But if it looks normal, that doesn’t necessarily tell you that it’s genuine.)

On mobile, however, “hover over” isn’t an option. You can tap a link and hold your finger down, in order to see where the link points. But how many people actually do that for every link they consider tapping? Also, there’s the risk that you tap the link and accidentally take your finger off the screen too early — and now you’ve visited the scam link rather than activating the “preview” functionality.

Browser Location on Mobile

Of course, I did not visit the links in the spam/phishing email. But if I had, I’m confident that the destination page would look exactly like Vanguard’s real login page. Except, of course, it wouldn’t have actually been Vanguard. It would have been a fraudster’s website, set up to collect people’s usernames and passwords as they entered them.

On desktop, at the top of your browser window, you easily see the full URL of the page you’re on. That makes it at least somewhat easier to recognize whether you’re on a legitimate website or not.

On mobile, depending on your browser and device, you often don’t. You might see the first several characters or the last several characters. But you might, for example, have accidentally visited:

vanguard.com-payments-us-vanguard.com

If you only see the beginning or end of that URL, you might think that you’re on Vanguard’s website. But that’s not Vanguard’s website. The actual domain in that URL is “com-payments-us-vanguard.com”, which any old fraudster could have purchased. (The “vanguard” at the start of the URL is a subdomain.)

What To Do

There are a handful of ways to avoid falling for this sort of thing.

Firstly, it’s helpful to actually look at the email address of the sender, even if it’s not immediately displayed in your mobile app. But even that can be spoofed. So while a spammy email address tells you it’s spam, a legit-looking email address does not necessarily tell you it’s genuine.

Secondly, it’s helpful to generally be aware when using mobile that 1) you aren’t seeing as much information as you would via desktop and 2) sometimes the information that you’re not seeing would have been a clear red flag.

Thirdly, if you did end up falling for the email and visiting the link in question, you’d be in better shape if you use passkeys or a password manager (both topics for another day, which we’ll get to). Your passkey would not work on the fake domain. And a password manager would recognize that the domain in question was not actually Vanguard.

But the most effective way to avoid falling for this? It’s the same exact rule that we discussed in the first article in this series! (I promise I’ll move on to other topics soon. But I just want to drive home how critical and valuable this rule is.)

If you receive any inbound communication (whether email, text, or phone call) that purports to be from a company with which you have any sort of account:

• Do not reply.
• Do not give them any information whatsoever.
• Do not click on any links.

Essentially, don’t interact with inbound communications. Instead, if you think it might be genuine and require some sort of response, reach out directly, via trusted means (i.e., either typing the company’s URL directly into your browser or calling the number on the back of your credit/debit card) and ask the company in question about it.

What is the Best Age to Claim Social Security?

Social Security Made Simple: Social Security Retirement Benefits and Related Planning Topics Explained in 100 Pages or Less Click here to see it on Amazon.

Disclaimer:Your subscription to this blog does not create a CPA-client or other professional services relationship between you and Michael Piper or between you and Simple Subjects, LLC. By subscribing, you explicitly agree not to hold Michael Piper or Simple Subjects, LLC liable in any way for damages arising from decisions you make based on the information available herein. Neither Michael Piper nor Simple Subjects, LLC makes any warranty as to the accuracy of any information contained in this communication. The information contained herein is for informational and entertainment purposes only and does not constitute financial advice. On financial matters for which assistance is needed, I strongly urge you to meet with a professional advisor who (unlike me) has a professional relationship with you and who (again, unlike me) knows the relevant details of your situation.

You may unsubscribe at any time by clicking the link at the bottom of this email (or by removing this RSS feed from your feed reader if you have subscribed via a feed reader).