Your Data, Your Rules
A practical guide to owning your digital identity without becoming a security expert—by hardening sign-ins, tightening recovery, and reducing data exposure.
By TheMurrow Editorial
February 13, 2026
Key Points
- 1Prioritize passkeys for email and financial accounts to block phishing-by-design and reduce the chance someone can log in as you.
- 2Harden recovery pathways—especially primary email and platform accounts—because resets cascade fast when attackers control the inbox or phone number.
- 3Minimize exposed personal data by separating roles and limiting phone/address sharing, reducing broker-fueled scams that sound eerily legitimate.
Your digital identity is already being used without you.
Not in the melodramatic sense of a shadowy hacker hunched over a keyboard, but in the far more common way: a password reset link sent to an email account you rarely check, a phone number that quietly became the “master key” to your life, an address history sitting in a broker’s database, ready to be purchased for a few dollars and weaponized for a convincing scam.
For most professionals, the real danger isn’t that someone will “hack” a company’s systems. It’s that someone will log in as you.
The good news is that the defensive tools have improved. You no longer need to be a cryptography enthusiast to get serious protection. Standards bodies, major platforms, and federal guidance have been converging on a simpler idea: stronger authentication that resists phishing, less personal data floating around, and better recovery when things go wrong.
The modern account takeover doesn’t start with code. It starts with a reset.
— — TheMurrow Editorial
Owning your digital identity: control, not fantasy
A lot of writing about “owning your digital identity” sounds like a property claim—as if you can plant a flag on the internet and declare sovereignty over your personal data. Readers are smart enough to know that isn’t how the world works.
A practical definition is narrower and more useful. Owning your digital identity means having real control over four things:
1. How you prove you’re you online (authentication).
2. What personal attributes you share (data minimization).
3. Where your information is stored (accounts, devices, brokers).
4. How you recover when something breaks (lost phone, breached email).
That definition comes with an important boundary: you can’t fully “own” your identity in a legal or universal sense. Copies of your data exist in banks, employers, government systems, ad-tech, and data broker warehouses. A realistic goal is reducing exposure and increasing control—especially at the points where identity is verified and accounts are recovered.
What changed lately is not human behavior. People still reuse passwords, lose phones, click convincing messages, and underestimate how much personal information is already public. What changed is the infrastructure around sign-in. Passwordless sign-in and wallet-style credentials are moving from niche to mainstream, and platforms are building better default security so non-experts can benefit.
A practical definition is narrower and more useful. Owning your digital identity means having real control over four things:
1. How you prove you’re you online (authentication).
2. What personal attributes you share (data minimization).
3. Where your information is stored (accounts, devices, brokers).
4. How you recover when something breaks (lost phone, breached email).
That definition comes with an important boundary: you can’t fully “own” your identity in a legal or universal sense. Copies of your data exist in banks, employers, government systems, ad-tech, and data broker warehouses. A realistic goal is reducing exposure and increasing control—especially at the points where identity is verified and accounts are recovered.
What changed lately is not human behavior. People still reuse passwords, lose phones, click convincing messages, and underestimate how much personal information is already public. What changed is the infrastructure around sign-in. Passwordless sign-in and wallet-style credentials are moving from niche to mainstream, and platforms are building better default security so non-experts can benefit.
What “ownership” doesn’t mean
“Ownership” doesn’t mean:
- Your data never exists outside your control
- A single magic app replaces every login
- You can opt out of surveillance capitalism by sheer willpower
A more honest version is incremental: make phishing harder, make resets harder to abuse, and stop unnecessary replication of personal data.
- Your data never exists outside your control
- A single magic app replaces every login
- You can opt out of surveillance capitalism by sheer willpower
A more honest version is incremental: make phishing harder, make resets harder to abuse, and stop unnecessary replication of personal data.
You don’t ‘own’ your identity the way you own a house. You manage risk the way you manage money.
— — TheMurrow Editorial
The threat model most professionals actually face
Security advice often fails because it starts with exotic scenarios. Most people don’t need to prepare for a nation-state. They need protection against the ordinary machinery of account takeover.
The highest-frequency failure modes are mundane—and costly.
The highest-frequency failure modes are mundane—and costly.
Credential theft and phishing: the default attack
The most common path into an account is still stolen credentials paired with convincing social engineering. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has emphasized that attackers frequently “log in” rather than exploit software vulnerabilities—and that “legacy MFA” methods like SMS codes or push approvals are increasingly bypassed through social engineering. CISA’s warning matters because it reflects how attacks succeed at scale: not by breaking encryption, but by persuading humans.
Phishing has also become more personalized because personal data is easy to buy. When a scammer knows your workplace, family names, and recent address history, the email doesn’t read like spam. It reads like administration.
Phishing has also become more personalized because personal data is easy to buy. When a scammer knows your workplace, family names, and recent address history, the email doesn’t read like spam. It reads like administration.
Account recovery: the weak link you rarely test
The second failure mode is the one most people don’t model at all: recovery.
If an attacker takes over your email, password resets can cascade. Payroll. Cloud documents. Bank portals. Customer accounts. A single compromised inbox can become a skeleton key because so many services treat email access as proof of identity.
The lesson is uncomfortable: security depends less on the “front door” login and more on the back doors you forget exist.
If an attacker takes over your email, password resets can cascade. Payroll. Cloud documents. Bank portals. Customer accounts. A single compromised inbox can become a skeleton key because so many services treat email access as proof of identity.
The lesson is uncomfortable: security depends less on the “front door” login and more on the back doors you forget exist.
Data brokers: the accelerant
Data broker exposure turns generic scams into tailored ones. Addresses, phone numbers, family links, and inferred traits can be purchased and used for stalking, doxxing, or targeted social engineering. Even when the broker data is imperfect, it gives attackers enough context to sound legitimate long enough to win a login.
A practical identity strategy prioritizes three outcomes:
- Reduce phishing success
- Reduce reset abuse
- Reduce unnecessary personal data replication
A practical identity strategy prioritizes three outcomes:
- Reduce phishing success
- Reduce reset abuse
- Reduce unnecessary personal data replication
Passkeys: the new baseline for phishing-resistant sign-in
Passwords have survived for decades because they’re simple—until they aren’t. They are easy to steal, easy to reuse, and difficult to manage responsibly across dozens (or hundreds) of accounts. Passkeys exist because the industry finally decided to replace that brittle system rather than endlessly patch it.
Passkeys are based on FIDO/WebAuthn standards. In plain terms: a passkey uses public-key cryptography. The secret part (the private key) stays on your device or in a secure, synced vault and is unlocked with Face ID/Touch ID/PIN. The critical point for readers isn’t the math—it’s the behavior: passkeys are designed to be phishing-resistant because the credential is bound to the legitimate site or app.
Passkeys are based on FIDO/WebAuthn standards. In plain terms: a passkey uses public-key cryptography. The secret part (the private key) stays on your device or in a secure, synced vault and is unlocked with Face ID/Touch ID/PIN. The critical point for readers isn’t the math—it’s the behavior: passkeys are designed to be phishing-resistant because the credential is bound to the legitimate site or app.
Adoption isn’t theoretical anymore
Passkeys are no longer a lab experiment. The FIDO Alliance reported in December 2024 that more than 15 billion online accounts can use passkeys. That’s not the number of accounts actually using them; it’s the number technically capable—still a meaningful indicator of ecosystem readiness.
FIDO Alliance consumer research released for World Passkey Day 2025 adds a second lens: 74% awareness and 69% enabling passkeys on at least one account among surveyed consumers. Even allowing for the limits of survey snapshots, the direction is clear: people are trying them.
Google has also brought passkeys into its highest-sensitivity program. In its Advanced Protection Program, Google says passkeys are available for high-risk users as an alternative to physical security keys. That matters because Advanced Protection is designed for people who face concentrated targeting: journalists, activists, campaign staff, executives.
FIDO Alliance consumer research released for World Passkey Day 2025 adds a second lens: 74% awareness and 69% enabling passkeys on at least one account among surveyed consumers. Even allowing for the limits of survey snapshots, the direction is clear: people are trying them.
Google has also brought passkeys into its highest-sensitivity program. In its Advanced Protection Program, Google says passkeys are available for high-risk users as an alternative to physical security keys. That matters because Advanced Protection is designed for people who face concentrated targeting: journalists, activists, campaign staff, executives.
15+ billion
The FIDO Alliance reported (Dec. 2024) that more than 15 billion online accounts are technically capable of using passkeys.
74%
FIDO Alliance consumer research for World Passkey Day 2025 reported 74% awareness of passkeys among surveyed consumers.
69%
The same research reported 69% of surveyed consumers enabled passkeys on at least one account.
A password can be copied. A passkey is meant to be proven.
— — TheMurrow Editorial
The tradeoff: usability vs. where you place trust
Passkeys reduce phishing risk sharply, but they introduce a new question: where does your ability to sign in live?
For many readers, the sticking point is cloud syncing. Syncable passkeys are convenient and resilient—lose a phone, buy a new one, and your credentials are still there. Yet convenience shifts part of the trust model to the platform account and its recovery process. The National Institute of Standards and Technology (NIST) explicitly acknowledges syncable authenticators in its current identity guidance suite (SP 800-63-4). Recognition from NIST doesn’t eliminate risk; it signals that syncable approaches can meet modern assurance models when implemented correctly.
CISA offers a bracing comparison: roaming hardware authenticators are generally more secure than platform authenticators, while still emphasizing that any FIDO2 method is superior to legacy authentication. The nuance is worth respecting. For many people, platform passkeys provide the best security they’ll actually use. For the highest-risk, hardware can still be a smart layer.
For many readers, the sticking point is cloud syncing. Syncable passkeys are convenient and resilient—lose a phone, buy a new one, and your credentials are still there. Yet convenience shifts part of the trust model to the platform account and its recovery process. The National Institute of Standards and Technology (NIST) explicitly acknowledges syncable authenticators in its current identity guidance suite (SP 800-63-4). Recognition from NIST doesn’t eliminate risk; it signals that syncable approaches can meet modern assurance models when implemented correctly.
CISA offers a bracing comparison: roaming hardware authenticators are generally more secure than platform authenticators, while still emphasizing that any FIDO2 method is superior to legacy authentication. The nuance is worth respecting. For many people, platform passkeys provide the best security they’ll actually use. For the highest-risk, hardware can still be a smart layer.
Platform passkeys: what Apple and Google are really promising
Readers don’t need vague assurances. They need to know what the major platforms claim to protect, and where the remaining risks sit.
Apple: iCloud Keychain and the “circle of trust”
Apple’s support documentation (published September 16, 2024) describes iCloud Keychain passkeys with a clear intent: keep passkeys protected even if iCloud or an Apple Account is compromised. Apple also emphasizes structural guardrails: iCloud Keychain requires two-factor authentication, uses a “circle of trust,” and supports recovery with strict limits—such as attempt limits and an escrow record that can be destroyed after repeated failures (as Apple describes).
Those design choices aim at a specific problem: the attacker who can trick or coerce access to your cloud account. Apple’s message is that passkeys are not merely another file synced to the cloud.
Those design choices aim at a specific problem: the attacker who can trick or coerce access to your cloud account. Apple’s message is that passkeys are not merely another file synced to the cloud.
Google: passkey syncing with an extra lock
Google’s September 2024 update on Google Password Manager describes cross-platform passkey syncing and a Google Password Manager PIN that adds a layer protecting end-to-end encrypted passkeys.
The PIN detail matters because it acknowledges the obvious: if your entire identity rests on a single account login, that account becomes the main target. Adding a second secret to unlock encrypted passkeys changes what an attacker would need to steal.
The PIN detail matters because it acknowledges the obvious: if your entire identity rests on a single account login, that account becomes the main target. Adding a second secret to unlock encrypted passkeys changes what an attacker would need to steal.
What this means for readers
The practical implication is not to panic about syncing. The implication is to take platform account security seriously because your Apple ID or Google Account increasingly functions like your identity control plane.
If your platform account is protected with a strong, phishing-resistant method, the benefits of passkeys are enormous. If your platform account can be recovered through a weak phone number and an overworked carrier support line, convenience becomes fragility.
If your platform account is protected with a strong, phishing-resistant method, the benefits of passkeys are enormous. If your platform account can be recovered through a weak phone number and an overworked carrier support line, convenience becomes fragility.
Key Takeaway
Passkeys are a major security upgrade—but your platform account (Apple ID/Google Account) becomes your identity control plane. Secure it like it’s critical infrastructure.
Recovery is identity: protect the reset pathways
Account takeover often succeeds not because your login is weak, but because your recovery path is weaker.
A resilient digital identity plan treats recovery settings as first-class security controls, not afterthoughts.
A resilient digital identity plan treats recovery settings as first-class security controls, not afterthoughts.
The cascading compromise problem
The sequence is familiar:
1. Attacker gains access to email (phishing, credential reuse, SIM swap, or broker-assisted social engineering)
2. Attacker triggers password resets across important services
3. Attacker changes recovery info, locking you out
4. You spend days proving you’re you—if the service even has a human escalation path
The frustrating part is that many users never test recovery until the worst day to do it.
1. Attacker gains access to email (phishing, credential reuse, SIM swap, or broker-assisted social engineering)
2. Attacker triggers password resets across important services
3. Attacker changes recovery info, locking you out
4. You spend days proving you’re you—if the service even has a human escalation path
The frustrating part is that many users never test recovery until the worst day to do it.
Practical steps that pay off
You can reduce catastrophic lockouts by hardening a few choke points:
- Secure your primary email first. It is the root of most recovery flows.
- Prefer phishing-resistant sign-in for email and financial accounts. Passkeys or FIDO2 security keys where available.
- Audit recovery methods. Remove old phone numbers, unused emails, and “security questions” with guessable answers.
- Keep a recovery plan offline. A printed list of critical accounts and support URLs can cut chaos when you lose your phone.
None of this is glamorous. It’s also the difference between a stressful afternoon and a multi-week identity disaster.
- Secure your primary email first. It is the root of most recovery flows.
- Prefer phishing-resistant sign-in for email and financial accounts. Passkeys or FIDO2 security keys where available.
- Audit recovery methods. Remove old phone numbers, unused emails, and “security questions” with guessable answers.
- Keep a recovery plan offline. A printed list of critical accounts and support URLs can cut chaos when you lose your phone.
None of this is glamorous. It’s also the difference between a stressful afternoon and a multi-week identity disaster.
Recovery hardening checklist
- ✓Secure your primary email first
- ✓Prefer phishing-resistant sign-in for email and financial accounts
- ✓Audit recovery methods (remove old numbers/emails and weak security questions)
- ✓Keep a recovery plan offline (printed list of critical accounts and support URLs)
Data minimization and broker exposure: the quiet work that matters
The identity conversation often gets stuck on authentication. Authentication is crucial, but it’s not the whole picture. Data minimization reduces the amount of material available for targeted scams and harassment.
Data brokers compile and sell personal information: address history, phone numbers, family connections, and more. That material can be used for doxxing, stalking, or social engineering. Even when a broker dataset is messy, it provides enough plausibility to pressure a target into “just confirming” a code or clicking a “secure document.”
Data brokers compile and sell personal information: address history, phone numbers, family connections, and more. That material can be used for doxxing, stalking, or social engineering. Even when a broker dataset is messy, it provides enough plausibility to pressure a target into “just confirming” a code or clicking a “secure document.”
What professionals should take from this
The point is not that you can erase yourself. The point is that you can make yourself harder to profile and harder to pressure.
A few habits help:
- Limit what you share by default. Don’t provide a phone number if an email works. Don’t provide a home address for services that don’t ship anything.
- Separate roles. A public-facing email address (for publishing, speaking, or networking) shouldn’t be the same address tied to banking and payroll.
- Treat your phone number as sensitive. Many systems still treat possession of a number as identity proof. That’s a policy choice, not a law of nature—and it’s often exploitable.
A few habits help:
- Limit what you share by default. Don’t provide a phone number if an email works. Don’t provide a home address for services that don’t ship anything.
- Separate roles. A public-facing email address (for publishing, speaking, or networking) shouldn’t be the same address tied to banking and payroll.
- Treat your phone number as sensitive. Many systems still treat possession of a number as identity proof. That’s a policy choice, not a law of nature—and it’s often exploitable.
A real-world example, minus the melodrama
Consider a mid-level executive whose name appears on conference agendas and company webpages. A broker listing ties that name to an old address, a spouse’s name, and two phone numbers. A scammer calls pretending to be corporate IT, references the conference travel, and asks the executive to approve a push notification “to stop suspicious activity.” That’s not a technical hack. It’s an ambush built from cheap data and a rushed moment.
Reducing broker exposure won’t eliminate risk, but it can reduce the precision of that ambush.
Reducing broker exposure won’t eliminate risk, but it can reduce the precision of that ambush.
Key Insight
Data minimization isn’t about disappearing. It’s about denying attackers the context that makes scams feel “administrative” instead of obviously fake.
Choosing the right stack: passkeys, security keys, and sane defaults
Readers want a simple answer: “What should I do?” The honest answer depends on risk and tolerance for friction.
For most people: passkeys as the default
Passkeys offer a strong mix of usability and phishing resistance. Given the FIDO Alliance adoption numbers—15 billion accounts capable, and 69% enabling on at least one account in recent consumer research—passkeys are quickly becoming the normal thing to do, not the nerd thing.
Start with:
- Primary email
- Financial accounts
- Cloud storage
- Any account that can reset other accounts (app stores, password managers)
Start with:
- Primary email
- Financial accounts
- Cloud storage
- Any account that can reset other accounts (app stores, password managers)
For higher-risk individuals: consider roaming hardware authenticators
CISA notes roaming authenticators are generally more secure than platform authenticators. For people likely to be targeted—investigative journalists, political staff, dissidents, executives managing sensitive transactions—hardware security keys can add meaningful protection, especially when paired with strict account recovery settings.
Google’s Advanced Protection Program offering passkeys as an alternative to physical keys is instructive: even high-risk programs are making room for passkeys because adoption and usability drive real security outcomes. For some, though, hardware remains the right call.
Google’s Advanced Protection Program offering passkeys as an alternative to physical keys is instructive: even high-risk programs are making room for passkeys because adoption and usability drive real security outcomes. For some, though, hardware remains the right call.
The meta-lesson: security that you’ll actually use wins
A theoretically perfect system that collapses the first time you switch phones is not a secure system. The best identity setup is the one that:
- Resists phishing
- Survives device loss
- Minimizes reliance on brittle recovery methods
That often means embracing modern, standardized authentication—and taking the recovery layer as seriously as the login layer.
- Resists phishing
- Survives device loss
- Minimizes reliance on brittle recovery methods
That often means embracing modern, standardized authentication—and taking the recovery layer as seriously as the login layer.
The meta-lesson
The best identity setup is the one you’ll actually use—and that still works after device loss, without fragile resets or guessable recovery paths.
Practical checklist: a weekend upgrade to your digital identity
You don’t need a grand project plan. You need a sequence.
Step 1: Identify your “root” accounts
Make a short list:
- Primary email
- Apple ID / Google Account
- Password manager (if you use one)
- Banking / payments
- Payroll / benefits
- Primary email
- Apple ID / Google Account
- Password manager (if you use one)
- Banking / payments
- Payroll / benefits
Step 2: Turn on passkeys where available
Prioritize email and any account used for resets. Where passkeys aren’t offered, use the strongest MFA available—but recognize, per CISA, that SMS and push-based MFA can be socially engineered.
Step 3: Harden platform account recovery
Because passkeys often live inside platform ecosystems, secure the ecosystem account:
- Review recovery email and phone numbers
- Remove outdated options
- Add stronger sign-in methods where supported
- Review recovery email and phone numbers
- Remove outdated options
- Add stronger sign-in methods where supported
Step 4: Reduce what you hand out
Stop donating personal attributes to forms that don’t need them. Every extra phone number and address is another piece of identity debt.
The safest identity is the one with fewer loose ends.
— — TheMurrow Editorial
Weekend upgrade sequence
- 1.Identify your “root” accounts (email, platform account, password manager, banking, payroll)
- 2.Turn on passkeys where available (prioritize email and reset-capable accounts)
- 3.Harden platform account recovery (clean up recovery methods and add stronger sign-in)
- 4.Reduce what you hand out (minimize phone numbers and addresses on forms)
A daily operational reality, not a policy debate
A decade ago, “digital identity” sounded like a policy debate or a startup pitch. Now it’s a daily operational reality. Your identity is the sum of your sign-ins, your recovery paths, and the scraps of personal data that make you easy to imitate.
You can’t reclaim every copy of yourself scattered across the internet. You can make the version of you that matters—the one that can approve payments, open documents, and reset accounts—far harder to steal.
That’s what owning your digital identity looks like: fewer loose ends, stronger proof, and a recovery story you’ve written before someone else tries to write it for you.
You can’t reclaim every copy of yourself scattered across the internet. You can make the version of you that matters—the one that can approve payments, open documents, and reset accounts—far harder to steal.
That’s what owning your digital identity looks like: fewer loose ends, stronger proof, and a recovery story you’ve written before someone else tries to write it for you.
T
About the Author
TheMurrow Editorial is a writer for TheMurrow covering technology.
Frequently Asked Questions
Are passkeys actually safer than passwords plus SMS codes?
Yes, for the most common attack: phishing. Passkeys are designed to be phishing-resistant because the credential is bound to the legitimate site or app. CISA has also warned that “legacy MFA” like SMS can be bypassed through social engineering. Passkeys reduce the chance you’ll be tricked into handing over something reusable.
If my passkeys sync through iCloud or Google, am I just trusting Big Tech?
Partly, yes—and that tradeoff buys resilience. Syncable passkeys mean you can recover after device loss. Apple (Sept. 16, 2024) and Google (Sept. 2024) both describe additional protections around synced passkeys. NIST’s current guidance suite (SP 800-63-4) acknowledges syncable authenticators, reflecting that modern assurance models include them.
Should I use a physical security key instead?
It depends on your risk. CISA notes roaming hardware authenticators are generally more secure than platform authenticators. If you face targeted attacks or high-value fraud risk, a hardware key can be a strong layer. For many people, platform passkeys provide excellent protection with far less friction—so they actually get used.
What’s the single biggest weakness in most people’s security setup?
Account recovery. Email takeover followed by password resets is a common cascade. People focus on the login screen and ignore the reset process. Securing primary email, tightening recovery options, and using phishing-resistant sign-in methods where possible reduces the odds of a cascading compromise.
Can I “remove myself” from data brokers and stop scams?
You can reduce exposure, not eliminate it. Data brokers often hold address history, phone numbers, and family links that can be purchased and used for targeted social engineering. Minimizing what you share going forward, separating public and private contact points, and treating your phone number as sensitive can reduce the precision of scams.
What accounts should get passkeys first?
Start with accounts that can unlock others: primary email, Apple ID/Google Account, password manager, and financial services. Those are the keys to your identity system. If you protect those well, the rest becomes easier to manage and recover.
