Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Authentication options

In addition to your password, Login.gov requires that you set up at least one secondary authentication method to keep your account secure. This is two-factor authentication (2FA). We use 2FA as an added layer of protection to secure your information.

Secondary authentication
We encourage you to add two methods for authentication to your account. If you lose access to your primary authentication method (i.e. losing your phone), you’ll have a second option to use to get access to your account. If you select text or voice message, you are required to select an additional authentication method. Login.gov is unable to grant you access to your account if you get locked out and/or lose your authentication method. If you get locked out, you’ll have to delete your account and create a new one.

Security
Although you can choose from several authentication options, some authentication methods such as Security Keys, PIV/CAC cards and authentication applications are more secure against phishing and theft.

Face or touch unlock 

Face or touch unlock uses either facial recognition or fingerprints to sign in to your Login.gov account. This option is resistant to phishing. 

You can only use face or touch unlock on a device that supports this feature. You will not see this option in the list of authentication options if your device does not have this capability. We do not store your fingerprints or images. 

Since face or touch unlock is specific to the device and browser, you’ll need to use the same device and browser in the future to sign in using this authentication method. You are required to give your device a nickname to help you remember which device was used. 

We strongly recommend setting up a second authentication method in case you ever change or lose your device. If you lose or change your device and do not have an alternate authentication method selected, you’ll have to delete your account and start over.

Authentication application

Authentication applications are downloaded to your device and generate secure, six-digit codes you use to sign in to your accounts. While authentication applications are not protected if your device is lost or stolen, this method offers more security than phone calls or text messaging against phishing, hacking, or interception.

If you choose this secure option, follow these steps to download and install one of the supported applications and configure it to work with Login.gov.

  1. Choose a device, such as a computer or mobile device (phone or tablet), on which you can install apps.
  2. Download and install an authentication app to your device. Some popular options include:

  3. Open a new browser and sign in to your Login.gov account at https://secure.login.gov/.
  4. Select “Enable” next to “Authentication app” and follow the instructions to scan or enter a code associating your authentication app with your account.

You will now be able to use the one-time passcodes generated by the application each time you sign in to Login.gov.

Security key

A security key is typically an external physical device, like a USB, that you plug into your computer. The key is linked to your accounts and will only grant access to those accounts once the key is plugged in and activated. Since a security key does not rely on your cell phone, it has the highest level of protection against phishing and built-in protections against hacking if it is lost or stolen.

Login.gov requires security keys that meet the FIDO (Fast Identity Online) standards. You can add as many security keys as you want to secure your account.

To use this secure option for Login.gov authentication, plug the key into a USB port and assign the key a name to identify it with your Login.gov account. The next step will ask you to activate your key. This is generally done by pressing a button on the key itself.

PIV or CAC for federal government employees and military

Physical PIV (personal identity verification) cards or CACs (common access cards) are secure options for federal government employees and military personnel. These cards, with encrypted chip technology, are resistant to phishing and difficult to hack if stolen.

Text message / Phone call

Text messages/SMS or phone calls are convenient but are extremely vulnerable to theft, hackers, and other attacks. You are required to select more than one authentication method if you choose text or voice message.

If you choose to use this less secure option, enter a phone number at which you can receive phone calls or text messages. If you only have a landline, you must receive your one-time code by phone call. Login.gov cannot send one-time codes to extensions or voicemails.

We will send a unique one-time code to that phone number each time you sign in to your Login.gov account. Each one-time code expires after ten minutes and can only be used once. If you don’t enter the one-time code within ten minutes, request a new code.

After you receive the code, type it into the “One-time code” field. Each time you sign in to Login.gov you’ll have the option of getting a new one-time code by phone call or by text. You will receive a new one-time code each time you sign in to your Login.gov account.

Backup codes (less secure)

Backup codes are an accessible option for users who do not have access to a phone. However, backup codes are the least secure option for two-factor authentication. Backup codes must be printed or written down which makes them more vulnerable to theft and phishing.

If you select this less secure option, Login.gov will generate a set of ten codes. After you sign in with your username and password, you will be prompted for a code. Each code may be used only once. When the tenth code has been used you will be prompted to download a new list. Treat your recovery codes with the same level of care as you would your password.

No phone or other authentication method

If you do not have access to a phone, authentication application, security key, or any other authentication option, you can set up your account with only backup codes.

Warning: Setting up your account with backup codes as your only authentication method is not recommended. If you ever lose your backup codes, you will not be able to sign in to your account.

When you create your account, you will reach the “Secure your account” page. This is where you must choose your primary authentication method. If you do not have access to any of the other options, select “Backup codes” and click “Continue.”

On the “Add another method” page, select “I don’t have any of the above” and click “Continue.”

Back to top