Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Authentication methods

In addition to your password, Login.gov requires that you set up at least one authentication method to keep your account secure. This is multifactor authentication (MFA). We use MFA as an added layer of protection to secure your information.

Authentication methods
We encourage you to add two authentication methods to your account. If you lose access to your primary authentication method (e.g. losing your phone), you’ll have a second option to use to get access to your account. Login.gov is unable to grant you access to your account if you get locked out and/or lose your authentication method. If you get locked out, you’ll have to delete your account and create a new one.

Security
Although you can choose from several authentication options, some authentication methods such as face or touch unlock, security keys, and PIV/CAC cards are more secure against phishing and theft.

Face or touch unlock 

You may need to enable cloud sync on your device if you want to use face or touch unlock to sign in to Login.gov across multiple devices.

Face or touch unlock lets you sign in by using a scan of your face or fingerprint, entering your PIN or pattern, or scanning a QR code. This allows you to authenticate without using a one-time code.

When you choose to set up face or touch unlock, you’ll start by setting up a face- or fingerprint-based credential. This credential will be saved to your device, or to the cloud if you’re using a compatible browser and device.

Assuming your credential is only saved to your device, you must always use the same device and browser to authenticate with Login.gov using face or touch unlock. If your credential is saved to the cloud, you will be able to authenticate using face or touch unlock across multiple devices.

We strongly recommend you add a second authentication method in case you change or lose your device. If you lose access to your only authentication method, you will need to delete your account and create a new one.

Authentication application

Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. While authentication applications are not protected if your device is lost or stolen, this method offers more security than phone calls or text messaging against phishing, hacking, or interception.

If you choose this secure option, follow these steps to download and install one of the supported applications and configure it to work with Login.gov.

  1. Choose a device, such as a computer or mobile device (phone or tablet), on which you can install apps.

  2. Download and install an authentication app to your device. Some popular options include:

  3. Open a new browser and sign in to your Login.gov account at https://secure.login.gov/.
  4. Select “Enable” next to “Authentication app” and follow the instructions to scan or enter a code associating your authentication app with your account.

You will now be able to use the one-time passcodes generated by the application each time you sign in to Login.gov.

Security key

A security key is typically an external physical device, like a USB, that you plug into your computer. The key is linked to your accounts and will only grant access to those accounts once the key is plugged in and activated. Since a security key does not rely on your cell phone, it has the highest level of protection against phishing and built-in protections against hacking if it is lost or stolen.

Login.gov requires security keys that meet the FIDO (Fast Identity Online) standards. You can add as many security keys as you want to secure your account.

To use this secure option for Login.gov authentication, plug the key into a USB port and assign the key a name to identify it with your Login.gov account. The next step will ask you to activate your key. This is generally done by pressing a button on the key itself.

Text message / Phone call

Text messages/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers, and other attacks.

If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your one-time code by phone call. Login.gov cannot send one-time codes to extensions or voicemails.

We will send a unique one-time code to that phone number each time you sign in to your Login.gov account. Each one-time code expires after ten minutes and can only be used once. If you don’t enter the one-time code within ten minutes, request a new code.

After you receive the code, type it into the “One-time code” field. Each time you sign in to Login.gov you’ll have the option of getting a new one-time code by phone call or by text. You will receive a new one-time code each time you sign in to your Login.gov account.

Didn’t receive your one time code?
  • Check that your device is turned on
  • Turn airplane mode off

Remember you need a mobile device to receive a one-time code by text message. If you have a landline, select to receive the one-time code by phone call instead.

You can resend a one-time code by selecting using the “resend code” button

Backup codes (less secure)

Backup codes are an accessible option for users who do not have access to a phone. However, backup codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.

If you select this less secure option, Login.gov will generate a set of ten codes. After you sign in with your username and password, you will be prompted for a code. Each code may be used only once. When the tenth code has been used you will be prompted to download a new list. Treat your recovery codes with the same level of care as you would your password.

PIV or CAC for federal government employees and military

Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.

No phone or other authentication method

If you do not have access to a phone, authentication application, security key, or any other authentication option, you can set up your account with only backup codes.

Warning: Setting up your account with backup codes as your only authentication method is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.

When you create your account, you will reach the “Secure your account” page. This is where you must choose your primary authentication method. If you do not have access to any of the other options, select “Backup codes” and click “Continue.”

On the “Add another method” page, select “I don’t have any of the above” and click “Continue.”

Back to top