Set up multi-factor authentication (MFA)

Security · about 10 min · Everyone — required on every FFC-related account

Multi-factor authentication (MFA, also called 2FA) is required on every account you use for FFC — GitHub, your charity email, LinkedIn, Facebook, your bank, everything.

It’s simple: after you type your password, the site asks for a second proof that it’s really you — a 6-digit code from an app on your phone. Even if someone steals your password, they can’t get in without your phone.

One authenticator app for everything

Use a single authenticator app for all your accounts — ideally the same one you already use for your bank or email. The two most common are Google Authenticator and Microsoft Authenticator; either is fine. Having one app keeps every code in one place and makes moving to a new phone far easier.

  1. 1

    Install an authenticator app (if you don’t have one)

    On your phone’s app store, install Google Authenticator or Microsoft Authenticator. If your bank already had you install one, use that same app.

    An authenticator app simply shows 6-digit codes that change every 30 seconds. It works offline and is far safer than text-message codes.

  2. 2

    Find the security settings on the website

    On the site you’re securing (e.g. GitHub → Settings → Password and authentication), look for Two-factor authentication or Multi-factor authentication and choose to set it up with an authenticator app (not SMS, if you’re given the choice).

  3. 3

    Scan the QR code

    The website shows a square QR code. Open your authenticator app, tap + (Add / Scan a QR code), and point your phone’s camera at the code on the screen.

    This is the same action you’ve done for your bank or LinkedIn — the QR code privately hands the app a secret so it can generate your codes.

    The app immediately starts showing a 6-digit code for that site. Type the current code back into the website to prove it worked.

  4. 4

    Save your recovery codes

    The site gives you a list of one-time recovery codes. These are your lifeline if you ever lose your phone.

    Copy them into your password manager (see the Password Manager guide), or print them and keep them somewhere safe. Do not store them only on the same phone that has the authenticator.

    No recovery codes + lost phone = locked out, sometimes permanently. Save them now, every time.

Before you get a new phone

  • Getting a new phone is the #1 way people get locked out — plan for it BEFORE you switch.
  • If you use Microsoft Authenticator or Google Authenticator, turn on the app’s built-in cloud backup first (in the app’s settings), then restore it on the new phone and your codes come with you.
  • If there’s no backup, you must re-add each account on the new phone: sign in to each site (using a recovery code if needed), turn MFA off and back on, and scan a fresh QR code.
  • Keep your recovery codes in your password manager so a new phone — or a lost one — is never a lockout.
  • Do this for every account: GitHub, charity email, LinkedIn, Facebook, your bank.

Common questions

Is a text-message (SMS) code good enough?

An authenticator app is stronger and works without signal. Use the app whenever the site offers it; SMS is a last resort.

What happens if I lose my phone and have no recovery codes?

You’ll have to go through each site’s account-recovery process, which can be slow or, in some cases, impossible. That’s why saving recovery codes is mandatory.

Next setup guides

GitHub accountPassword managerMicrosoft 365 email

Stuck on any step? Text Clarke Moyer at (520) 222-8104 — every step is meant to be simple, so if something doesn't match what you see, ask.