Two-step verification is a more secure way to control access to your account. Instead of a code emailed to you, or only entering a password, it requires that you use a password and an external device or code to log in.
Typically, people use either an app on their phone to generate a code, or a security key which plugs into your USB port. Even if an attacker knows your password, they still can't get into your account.
Note: Emailed codes for login can't be used with two-step verification.
The two-step verification settings are on the Password & Security screen.
First, you must have a password set before enabling two-step verification (also known as two-factor authentication or 2FA). The password is the first of the two steps in "two-step verification".
Then you can access the Set Up Two-Step Verification button and select which kind of verification device you're adding to your account. The verification devices is the second of the two steps.
Mozilla Firefox supports U2F from Firefox 57 onwards, but it is not enabled by default. If you wish to enable it, enter about:config into the address bar. Search for security.webauth.u2f in the list, and double click it to change the option to True.
Not sure which authenticator app to use? We recommend:
Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other system for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.
On the Password & Security screen, remove all verification devices to switch off two-step verification. You can now log in via a code emailed to you, or via your password.
You still want to be able to get into your account when you don't have your verification device with you, or if you've lost your verification device. Recovery codes allow you to recover your account in this situation.
Recovery codes can act as your second step. They are a code you can use once in the place of your verification device.
Once you have set up two-step verification, you can get a set of ten recovery codes. Save them somewhere safe. Recovery codes can't be used as a password, and they are only valid if you have already set up at least one other verification device.
A set of recovery codes can be removed from use if they are compromised, or you've lost the list.