Joined the people who’ve signed up for Bluesky Social as an alternative to Twitter/X? I’m on there too and it’s pleasantly free of chaos and arguments (so far). But now’s also a good time to ensure you have maximal account security. The best approach: Two-factor authentication.
Let’s start out with a definition for two-factor authentication (also known as 2FA or, sometimes, multi-factor authentication). A “factor” can be best considered as a category of information you can access. Knowledge of an account password is a factor, for example, but so is access to a smartphone or an email inbox. Passwords are rather mediocre as security barriers because if someone learns your password, you have no way of stopping their access to your account.
Shortcuts: Enable 2FA in Settings | Testing 2FA | Disable 2FA
But what if it was about what you knew along with what you could access? That’s two-factor and it’s typically a combination of an account password and something related to a mobile device. There are a number of highly reliable authentication apps, for example, including Authy, Microsoft Authenticator and Google Authenticator, that serve this second purpose. For its own part, Bluesky Social has implemented an easier 2FA: Email. Once enabled, you’ll need to enter your password and a secret code that’ll be emailed to you as part of the improved login process. After ten minutes or so, that code will expire, so someone finding it hours – or days – later won’t be able to sneak in.
To be candid, I prefer the authorization apps and believe they’re a stronger form of authentication. It’s my hope that at some point Bluesky will just add support for authentication apps as an alternative solution. Until then, however, let’s work with the email-based 2FA.
GO TO YOUR BLUESKY SETTINGS
I’ll use my @askdavetaylor.com Bluesky Social account for this tutorial, accessed from my Web browser, but you can actually enable this through the mobile app too. Once you’re logged in, click on the “Settings” option on the left column:
We won’t use it yet but notice the “Sign out” link at the very bottom. That’ll be useful once the 2FA is all set up. For this task, a click on “Privacy and security” is what’s required. That yields these optional settings and preferences:
It is worth noting that Bluesky is now warning users that everything you post can be used by third parties for various purposes (including training AI large language models). That’s the grey box at the bottom of this screen.
Click on “Enable” link adjacent to the “Two-factor authentication (2FA)” prompt.
If you’re used to more robust 2FA social networks it might come as a bit of a surprise that this just turns on and you’re done, no QR codes to scan, nothing complex to verify your setting. Click or tap on the “Enable” button. It’ll now show as enabled:
That’s it. Disconcertingly easy.
LOG OUT, LOG IN
With that enabled, it’s time to use that “Sign off” link on the main Settings screen. Log out of your Bluesky account. You’ll know that’s what’s happened when you see this instead of your home screen:
Proceed by clicking on the “Sign in” link, as you normally would. If you allow cookies in your Web browser, you’ll find that it knows your Bluesky account or accounts. I have two:
The 2FA is setup for the askdavetaylor.com account [Tip: How to Use a Domain Name as your Bluesky Handle] so that’s the one I’ll click.
Bluesky will then prompt me for a password, but it will also ask for that second-factor confirmation code that’s been sent to my registered email address:
Meanwhile, in my inbox…
Dave! You’re sharing your secret 8-character code! Isn’t that dangerous?
Contrary to what you might think, me sharing the email is not a dangerous mistake because the codes are only valid for ten minutes or so and are randomly generated. In other words, I could log out and log in ten thousand times without ever seeing this code pop up again. If you’re interested in the math, an eight character + digit code means that there are over 100 trillion possible codes!
Anyway, once I copy and paste this code into the appropriate box on the login screen, I’m in! Easy enough to work with, and a smart step towards ensuring your account is secure.
DISABLING 2FA ON BLUESKY
What if you decide that you don’t want to have this 2-factor authentication anymore? No worries, it’s easy to disable too, and the process is remarkably similar. Go back to the “Privacy and security” page and click on the “Disable” link adjacent to the “Email 2FA enabled” link. You’ll be shown a confirmation window:
To proceed, click on “Send verification email” to get a new 8-character secret code. The prompt will also update to ask for that code (to verify that you’re really you!) …
Enter the code correctly and you’ll have disabled this beneficial security feature. Done.
Pro Tip: While I’m new to Bluesky like everyone else, you can find me on the growing social service as @askdavetaylor.com and you can find some Bluesky Help Tutorials here on the site too. Have a question I haven’t tackled? Ask me and I’ll do my best to address it!