To keep your Mastodon account extra secure, you can use a feature called “Two Factor Authentication”, also known as “2FA”. When you have 2FA activated, even if someone finds out your password they still cannot log into your account.
How does 2FA work?
2FA usually works through a special app on your phone, tablet or computer which constantly generates special pass codes, often in the form of six random numbers. These codes are linked to your account, and only your app will generate codes that match your account.
When you want to log into your account, as well as your password Mastodon will also ask you for your 2FA code, which you can find out from your app. It will then log you in.
How do I get a 2FA app?
There are many 2FA apps in all app stores, for example Aegis and Raivo are popular 2FA apps. Apple’s keychain also includes 2FA support. The technical name for these apps is “TOTP” or “Authenticator”.
I’ve got my 2FA app, how do I activate 2FA on Mastodon?
- Log into your account on your server’s website or on the web app
- Click ⚙️ Preferences
- Click Account (on the mobile site click ☰ and then Account)
- Click Two Factor Auth (on the mobile site click ☰ again and then Two Factor Auth)
- Follow the instructions, including the part about keeping the backup codes in a safe place
After you’ve activated 2FA, the next time you log in on Mastodon it will ask your password and then ask your 2FA code. Go to the app and find the code, then type this into Mastodon.
Do I need to type a 2FA code in every time I use Mastodon?
No. You only need to use a 2FA code when you log in, so if you stay logged in it won’t ask for the 2FA code.
What if someone sees my current 2FA code?
It doesn’t matter, because the current 2FA code changes so frequently. Most people set it to change every few minutes or even every 30 seconds. If someone sees your current 2FA code, it will soon change to something else anyway and the old code will be useless to them.
The only code you need to keep secret is the 2FA’s backup code, which you should print out and put in a safe place. This backup code gives you access to your account if the 2FA app stops working for some reason.
Is 2FA just for techy people, or can non-techy people use 2FA as well?
Setting up 2FA is slightly tricky, and it will require you to keep a permanent copy of a special code in a safe place, preferably printed out and kept at home with your other important documents. This special code lets you access your account if you lose access to your 2FA app. If you’re not technically minded, you might want to get help from a trusted friend or relative in setting it up. Make sure they are people you trust, as the backup code would allow them access to your account.
However, after it has been set up, 2FA is extremely easy to use: the 2FA app displays a code and you simply type this in when Mastodon asks you to. It’s very simple and becomes second nature quickly.
Does the 2FA app know what I’m doing?
No. 2FA apps have no awareness of anything you’re doing.
The apps just passively display a list of security codes generated from the current time and your unique account keys. It doesn’t send any data anywhere, the code generation happens entirely offline on your own phone or computer. The apps have no idea if you’re even using the codes.
At a technical level, 2FA apps are essentially just very elaborate clocks, but instead of displaying the time they display ever-changing access codes. Your account’s server also knows what time it is, and that’s how it knows whether your 2FA access code matches up with what it should be.
Is 2FA just for Mastodon, or can I use it for other things?
It’s not just Mastodon! Most major online services nowadays have an option to activate 2FA. For example most email providers include 2FA support, and using it works just like logging in on Mastodon.
You can use the same app to generate all your codes. Each service uses a different code, and your app will generate a list of different codes if you use it on many services.