To keep your Mastodon account extra secure, you can use a feature called “Two Factor Authentication”, also known as “2FA”. When you have 2FA activated, even if someone finds out your password they still cannot log into your account.
How does 2FA work?
2FA usually works through a special app on your phone, tablet or computer which constantly generates special pass codes, often in the form of six random numbers. These codes are linked to your account, and only your app will generate codes that match your account.
When you want to log into your account, as well as your password Mastodon will also ask you for your 2FA code, which you can find out from your app. It will then log you in.
How do I get a 2FA app?
There are many 2FA apps in all app stores, for example Aegis and 2FAS are popular 2FA apps. Apple’s keychain also includes 2FA support. The technical name for these apps is “TOTP” or “Authenticator”.
I’ve got my 2FA app, how do I activate 2FA on Mastodon?
- Log into your account on your server’s website or on the web app
- Click ⚙️ Preferences
- Click Account (on the mobile site click ☰ and then Account)
- Click Two Factor Auth (on the mobile site click ☰ again and then Two Factor Auth)
- Follow the instructions, including the part about keeping the backup codes in a safe place
- Seriously, please make sure you do the part about keeping the backup codes in a safe place. This isn’t just nice to do, it’s essential. You will need these backup codes to access your account if you lose your phone.
After you’ve activated 2FA, the next time you log in on Mastodon it will ask your password and then ask your 2FA code. Go to the app and find the code, then type this into Mastodon.
Do I need to type a 2FA code in every time I use Mastodon?
No. You only need to use a 2FA code when you log in, so if you stay logged in it won’t ask for the 2FA code.
If I use 2FA, do I have to use Mastodon on my phone?
No! You can continue to use any device you want even if you have 2FA activated. The 2FA app is only there to provide codes, it doesn’t know or care where you type them in. You can use the 2FA codes when logging in on any device such as computers, tablets or even other phones.
What if someone sees my current 2FA code?
It doesn’t matter, because the current 2FA code changes so frequently. Most people set it to change every few minutes or even every 30 seconds. If someone sees your current 2FA code, it will soon change to something else anyway and the old code will be useless to them.
The only code you need to keep secret is the 2FA’s backup code, which you should print out and put in a safe place. This backup code gives you access to your account if the 2FA app stops working for some reason.
What if I lose the phone that has the 2FA app running on it? How will I access my Mastodon account without the 2FA app?
That’s what the backup codes are for, and why you need to keep them in a safe place. If you lose access to your 2FA app for any reason, you can use the backup codes to access your account and switch off 2FA.
What if someone grabs my phone when it’s unlocked, can they access my 2FA codes?
It depends on the app, but probably not. Even when your phone is unlocked, most 2FA apps are still locked by default. To access the app’s codes after your phone is unlocked, you still need to type your phone’s unlock code again, or use fingerprint or facial recognition again.
Is 2FA just for techy people, or can non-techy people use 2FA as well?
Setting up 2FA is slightly tricky, and it will require you to keep a permanent copy of a special code in a safe place, preferably printed out and kept at home with your other important documents. This special code lets you access your account if you lose access to your 2FA app. If you’re not technically minded, you might want to get help from a trusted friend or relative in setting it up. Make sure they are people you trust, as the backup code would allow them access to your account.
However, after it has been set up, 2FA is extremely easy to use: the 2FA app displays a code and you simply type this in when Mastodon asks you to. It’s very simple and becomes second nature quickly.
Does the 2FA app know what I’m doing?
No. 2FA apps have no awareness of anything you’re doing.
The apps just passively display a list of security codes generated from the current time and your unique account keys. It doesn’t send any data anywhere, the code generation happens entirely offline on your own phone or computer. The apps have no idea if you’re even using the codes.
At a technical level, 2FA apps are essentially just very elaborate clocks, but instead of displaying the time they display ever-changing access codes. Your account’s server also knows what time it is, and that’s how it knows whether your 2FA access code matches up with what it should be.
Is 2FA just for Mastodon, or can I use it for other things?
It’s not just Mastodon! Most major online services nowadays have an option to activate 2FA. For example most email providers include 2FA support, and using it works just like logging in on Mastodon.
You can use the same app to generate all your codes. Each service uses a different code, and your app will generate a list of different codes if you use it on many services.
Does Mastodon support using security keys instead of authenticator apps?
Yes! Mastodon’s two factor authentication settings page also includes a section for adding security keys, just click on Security Keys 🔑 Add and follow the instructions. The security key section appears after you have activated a 2FA authenticator app.