In addition to your password, login.gov requires that you set up at least one secondary authentication method to keep your account secure. This is two-factor authentication (2FA). We use 2FA as an added layer of protection to secure your information.
We encourage you to add two methods for authentication to your account. If you lose access to your primary authentication method (i.e. losing your phone), you’ll have a second option to use to get access to your account. Login.gov is unable to grant you access to your account if you get locked out and/or lose your authentication method.
Although you can choose from several authentication options, some authentication methods such as Security Keys, PIV/CAC cards and authentication applications are more secure against phishing and theft.
Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. While authentication applications are not protected if your device is lost or stolen, this method offers more security than phone calls or text messaging against phishing, hacking, or interception.
If you choose this secure option, follow these steps to download and install one of the supported applications and configure it to work with login.gov.
- Choose a device, such as a computer or mobile device (phone or tablet), on which you can install apps.
- Download and install an authentication app to your device. Some popular options include:
- Open a new browser and sign in to your login.gov account at https://secure.login.gov/.
- Select “Enable” next to “Authentication app” and follow the instructions to scan or enter a code associating your authentication app with your account.
You will now be able to use the one-time passcodes generated by the application each time you sign in to login.gov.
A security key is typically an external physical device, like a USB, that you plug into your computer. The key is linked to your accounts and will only grant access to those accounts once the key is plugged in and activated. Since a security key does not rely on your cell phone, it has the highest level of protection against phishing and built-in protections against hacking if it is lost or stolen.
Login.gov requires security keys that meet the FIDO (Fast Identity Online) standards. You can add as many security keys as you want to secure your account.
To use this secure option for login.gov authentication, plug the key into a USB port and assign the key a name to identify it with your login.gov account. The next step will ask you to activate your key. This is generally done by pressing a button on the key itself.
PIV or CAC for federal government employees and military
Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.
Text message / Phone call
Text messages/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers, and other attacks.
If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your security code by phone call. Login.gov cannot send security codes to extensions or voicemails.
We will send a unique security code to that phone number each time you sign in to your login.gov account. Each security code expires after ten minutes and can only be used once. If you don’t enter the security code within ten minutes, request a new code.
After you receive the code, type it into the “one-time security code” field. Each time you sign in to login.gov you’ll have the option of getting a new security code by phone call or by text. You will receive a new security code each time you sign in to your login.gov account.
Backup codes (less secure)
Backup codes are an accessible option for users who do not have access to a phone. However, backup codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.
If you select this less secure option, login.gov will generate a set of ten codes. After you sign in with your username and password, you will be prompted for a code. Each code may be used only once. When the tenth code has been used you will be prompted to download a new list. Treat your recovery codes with the same level of care as you would your password.
No phone or other authentication method
If you do not have access to a phone, authentication application, security key, or any other authentication option, you can set up your account with only backup codes.
Warning: Setting up your account with backup codes as your only authentication method is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.
When you create your account, you will reach the “Secure your account” page. This is where you must choose your primary authentication method. If you do not have access to any of the other options, select “Backup codes” and click “Continue.”
On the “Add another method” page, select “I don’t have any of the above” and click “Continue.”Back to top