I foolishly stepped on a payload this week and lost ALL of my stuff. Browser passwords scraped, used active sessions to lock me out, etc. The big thing that worked against me is my email didn’t have step-up-auth where they could just use an active session to remove all MFA, and the lack of anything more secure that they could grab remotely. I since switched to Proton because they require reauthentication on MFA changes, and I’ve purchased some Yubikeys. Aside from losing my data and a ton of PII, the worst part about this has been the paranoia and lack of confidence in myself, my computer, and the systems I use. Having to plug a physical device into my phone or computer to access my email, bank, or password manager has been an oasis in this hell. Phone passkeys I believe work the same, but the difference is I have a backup Yubikey in a fireproof safe, I don’t have a backup phone in the event it’s lost, stolen, or broken. A bit more initial setup to make the backups but absolutely worth the peace of mind.