We want to make sure it’s actually you trying to access your accounts.
The identity protection process we use is called “two-factor verification.” When someone tries to log in to your accounts, the two-factor verification system kicks in and sends you a security code. (You get to choose how you’d like to receive the code, based on the contact information that’s currently set up on your account.) When you receive the security code, enter it in, and then your accounts will show. (The security code expires in 10 minutes, so you can’t use a previous code.) Even if someone has gotten hold of your username and password, that person probably doesn’t have physical access to your phone, mobile device, or computer to receive the security code. And without that access, they cannot get into your accounts.