Skip to main content
Does your agency have an urgent need related to COVID-19 response efforts?
U.S. flag

An official website of the United States government


Which authentication method should I use? uses two-factor authentication (TFA), or multi-factor authentication (MFA), as an added layer of protection to secure your most sensitive information.

Two-factor authentication can be done in multiple ways and each has a different level of security. You can choose between text messages, phone calls, an authentication application, a security key, or backup codes. Government employees can also use their PIV or CAC cards.

We encourage you to review the available options and select the most secure option for you.

More Secure

Security Key

More secure against phishing and hacks with built in protections against theft.

A security key is typically a physical device, like a USB, that you plug into your computer. The key is linked to your accounts and will only grant access to those accounts once the key is plugged in and activated. Since a security key does not rely on your cell phone, it has the highest level of protection against phishing and built in protections against hacking if it is lost or stolen.

More Secure

PIV/CAC for military and federal employees

More secure against phishing and hacks with built in protections against theft.

Physical PIV and CAC smart cards are secure options for military personnel and federal employees. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.

More Secure

Authentication App

More secure against phishing and hacks but with less protection against theft.

Authentication apps are downloaded to your device and generate secure, 6-digit codes you can use to log in to your accounts. Unlike phone calls or text messaging/SMS, a hacker would need physical access to your cell phone in order to use the code.

While authentication apps are not protected if your device is lost or stolen, these apps offer more security than phone calls or text messaging/SMS against phishing, hacking or interception.

Text message/SMS or Phone call

Less secure against phishing, hacks and theft.

Text message/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers and other attacks.

Less Secure

Backup codes

Less secure against phishing, hacks and more subjective to theft.

While backup codes are an accessible option for users who do not have phone access, these codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.