Two-step authentication, also known as two-factor authentication (2FA), adds an extra layer of security to your Mozilla account. Even if someone gets hold of your password, they won’t be able to access your account without a second factor of authentication. This second factor ensures that your account stays protected, even in the case of compromised credentials. By enabling 2FA, you greatly reduce the risk of unauthorized access, helping keep your personal data and browsing history safe.
Table of Contents
How to set up two-step authentication
- Sign in to your Mozilla account and enable two-step authentication in the security section to enable this feature.
- Set up an authenticator app. Use a trusted app like Google Authenticator (Android, iOS & macOS) or Twilio Authy Authenticator (Android, iOS & macOS) to generate codes for signing in and be sure to download your backup authentication codes.
- For more information on enabling two-step authentication, head over to Set up two-factor authentication on your Mozilla account.
Recovery options for two-step authentication
If you lose access to your authenticator app or device, recovery methods ensure you can regain access to your account.
Backup authentication codes
When you set up 2FA, you’ll receive a set of 10-character backup authentication codes to save in a secure location. Each code can be used once to sign in to your account if you lose access to your authenticator app. Not to be confused with a recovery key (related to sync data recovery) or one-time codes sent by email or SMS.
- How to access: You can view and download your backup authentication codes when you set up two-step authentication. If you lose access to these codes, you can get new codes from your account settings.
- Pro tip: Store these codes in a secure location such as a password manager or a physical safe.
Recovery phone
A new optional feature, initially available to users in the US and Canada, allows you to add a recovery phone number to your account. If you lose access to your authenticator app, you can request a one-time password (OTP) via SMS to regain access to your Mozilla account.
This feature is experimental and is being introduced to the Firefox user base through a progressive rollout. It may not yet be available to all users.
- How to add a recovery phone:
- Sign in to your Mozilla account and go to the security settings section.
- Add a phone number and verify it by entering the OTP sent to your phone.
- Important: Recovery phone numbers should belong to you and remain up-to-date to ensure access.
Comparing recovery methods for two-step authentication
Feature | Backup authentication codes (Safest) | Recovery phone Easiest |
---|---|---|
Setup requirement | Required and automatically provided during two-step authentication setup | Manually add and verify phone number from account settings |
Availability | Global | Canada and USA only |
Usage | One-time use per code | One-time use per code |
Ease of access | Requires access to pre-stored codes, risk of losing the codes | Convenient if phone available, but requires active network connection |
Security | Risk if codes lost or stored in unsecured location | Vulnerable to SIM swap attack |
Understanding SIM swap risk
SIM swap attacks occur when a malicious actor convinces your mobile carrier to transfer your phone number to their SIM card. Once they have control of your phone number, they can intercept messages, including one-time passwords (OTPs), used for account recovery. This makes phone-based recovery methods more vulnerable than offline options like backup authentication codes.
To mitigate SIM swap risks, ensure your mobile carrier account is secured with a strong password and, if available, its own two-step authentication (2FA).
Most major cellular providers publish steps you can take to protect your devices on their help centers. You can find a few below.
- AT&T: Secure Your Mobile Number to Reduce SIM Swap Scams | AT&T Cyber Aware
- Verizon: What is a SIM Swapping Scam? Protect Your Device Against SIM Hackers
- T-Mobile: Protect your T-Mobile account from fraud
- Rogers: Port fraud and SIM swaps
- TELUS: SIM swap scam: what you should know
- Bell: How to protect yourself from telecom fraud
Best practices for account security
- Use a strong, unique password for your Mozilla account and associated email accounts.
- Enable two-step authentication and keep your recovery options updated.
- Regularly review your account’s security settings; see Review your Mozilla account activity and protect your data.
By taking these steps, you’ll ensure your Mozilla account remains secure and protected from unauthorized access.