To keep your Mastodon account extra safe, you can activate 2FA by logging in through your server’s website, then going to ⚙️ Preferences > Account > Two Factor Auth, then follow the instructions.
Activating 2FA means that even if someone finds out your password they still cannot log into your account, as logins will also require the code from your 2FA app or physical security key. The 2FA code from an app will change each time you log in, so only someone with access to your 2FA app or key can log into your account. 2FA apps are available for all types of phones and computers.
You only need to use a 2FA app when you log in, so if you stay logged in it won’t ask for your 2FA.
Setting up 2FA is slightly tricky, and it will require you to keep a permanent copy of a special code in a safe place, preferably printed out and kept at home with your other important documents. This special code lets you access your account if you lose access to your 2FA app or key. If you’re not technically minded, you might want to get help from a trusted friend or relative in setting it up. Make sure they are people you trust, as the backup code would allow them access to your account.
Once it has been set up, 2FA is extremely easy to use: the 2FA app displays a code and you simply type this in when you log in with your normal password.
There are many, many apps that work with 2FA on Mastodon. For example Raivo and Aegis are popular. Apple’s keychain also includes built-in 2FA support. The technical name for these kinds of apps is “TOTP” or “Authenticator”, and you may see them listed under these keywords in your favourite app store.
Also, just to make clear, 2FA apps do not know what you are doing with them. They just passively display a list of security codes based on a particular timestamp and account keys. 2FA apps are essentially elaborate clocks, but instead of displaying the time they display ever-changing access codes. Your account’s server also knows what time it is, and that’s how it knows whether your 2FA access code is correct at the moment you log in.