Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Authentication methods

In addition to your password, Login.gov requires that you set up at least one authentication method to keep your account secure. This is multifactor authentication (MFA). We use MFA as an added layer of protection to secure your information.

Authentication methods
We encourage you to add two authentication methods to your account. If you lose access to your primary authentication method (e.g. losing your phone), you’ll have a second option to use to get access to your account. Login.gov is unable to grant you access to your account if you get locked out and/or lose your authentication method. If you get locked out, you’ll have to delete your account and create a new one.

Security
Although you can choose from several authentication options, some authentication methods such as face or touch unlock, security keys, and PIV/CAC cards are more secure against phishing and theft.

Face or touch unlock 

You may need to enable cloud sync on your device if you want to use face or touch unlock to sign in to Login.gov across multiple devices.

Face or touch unlock lets you sign in by using a scan of your face or fingerprint, entering your PIN or pattern, or scanning a QR code. This allows you to authenticate without using a one-time code.

When you choose to set up face or touch unlock, you’ll start by setting up a face- or fingerprint-based credential. This credential will be saved to your device, or to the cloud if you’re using a compatible browser and device.

Assuming your credential is only saved to your device, you must always use the same device and browser to authenticate with Login.gov using face or touch unlock. If your credential is saved to the cloud, you will be able to authenticate using face or touch unlock across multiple devices.

We strongly recommend you add a second authentication method in case you change or lose your device. If you lose access to your only authentication method, you will need to delete your account and create a new one.

Authentication application

Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. While authentication applications are not protected if your device is lost or stolen, this method offers more security than phone calls or text messaging against phishing, hacking, or interception.

If you choose this secure option, follow these steps to download and install one of the supported applications and configure it to work with Login.gov.

  1. Choose a device, such as a computer or mobile device (phone or tablet), on which you can install apps.

  2. Download and install an authentication app to your device. Some popular options include:

  3. Open a new browser and sign in to your Login.gov account at https://secure.login.gov/.
  4. Select “Enable” next to “Authentication app” and follow the instructions to scan or enter a code associating your authentication app with your account.

You will now be able to use the one-time passcodes generated by the application each time you sign in to Login.gov.

Security key

A security key is a physical device that you can connect to your computer or mobile device to add an extra layer of protection to your Login.gov account. It is not the same as a personal key.

Using a security key is more secure than relying on your phone because it has built-in protections against hacking and phishing attacks. Login.gov requires security keys that meet the FIDO (Fast Identity Online) standards.

You can add multiple security keys to your account to secure your account.

Login.gov does not provide users with a security key, so you will need to obtain one on your own to use this secure option.

How do I set up security keys

To use this secure option for Login.gov authentication:

  1. Assign a nickname to your security key so that you can easily identify it with your Login.gov account later.

  2. Insert your security key into your device.

  3. Follow your browser’s instructions to activate your security key. You won’t need to enter a code when using your security key.

Text message / Phone call

Text messages/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers, and other attacks.

If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your one-time code by phone call. Login.gov cannot send one-time codes to extensions or voicemails.

We will send a unique one-time code to that phone number each time you sign in to your Login.gov account. Each one-time code expires after ten minutes and can only be used once. If you don’t enter the one-time code within ten minutes, request a new code.

After you receive the code, type it into the “One-time code” field. Each time you sign in to Login.gov you’ll have the option of getting a new one-time code by phone call or by text. You will receive a new one-time code each time you sign in to your Login.gov account.

Didn’t receive your one time code?
  • Check that your device is turned on
  • Turn airplane mode off

Remember you need a mobile device to receive a one-time code by text message. If you have a landline, select to receive the one-time code by phone call instead.

You can resend a one-time code by selecting using the “resend code” button

Backup codes (less secure)

Backup codes are an accessible option for users who do not have access to a phone. However, backup codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.

If you select this less secure option, Login.gov will generate a set of ten codes. After you sign in with your username and password, you will be prompted for a code. Each code may be used only once. When the tenth code has been used you will be prompted to download a new list. Treat your recovery codes with the same level of care as you would your password.

PIV or CAC for federal government employees and military

Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.

No phone or other authentication method

If you do not have access to a phone, authentication application, security key, or any other authentication option, you can set up your account with only backup codes.

Warning: Setting up your account with backup codes as your only authentication method is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.

When you create your account, you will reach the “Secure your account” page. This is where you must choose your primary authentication method. If you do not have access to any of the other options, select “Backup codes” and click “Continue.”

On the “Add another method” page, select “I don’t have any of the above” and click “Continue.”

Back to top