All email systems are different but high level we recommend the following:
- Do not reuse passwords anywhere. One account, one password.
- Do not use password hints.
- Do not use SMS or voice for 2FA access to your email (unless there is no other option).
- Do not use SMS or voice for password recovery for your email account (even if there is no other option).
- Set up device based 2FA solutions such as Authy* or Google Authenticator so that authentication is only possible if you have the actual phone and not just the phone number.
- Only ever enter 2FA credentials directly on the site they are meant for. Do not pass the details on to anyone or approve a Google prompt or Microsoft Authenticator notification even if you have previously been contacted and told to expect this 2FA request.
* Although Authy asks for a phone number to ease setup, by default it does not allow switching physically to a new phone, even if the phone number has not changed. This should not be disabled (by allowing Multi Device 2FA) unless it is enabled only for the period when a new device is intended to be added (such as the Chrome App or a second known phone) and then immediately disabled.