Banner image of Mastodon: Security and privacy settings

Mastodon: Security and privacy settings

Maybe you just joined a Mastodon instance or already toot for months. Whatever the case may be, in this article we show you important settings to make your Mastodon experience more secure and private.

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

What is Mastodon? (For newbies!)

Mastodon is a decentralized and federated social network for microblogging. This means that there are thousands of Mastodon instances (= servers) on the internet which aren’t controlled by a single company or person. This also means that most of these instances are connected so you can see what people on other instances write or do. You can follow them or like/share their toots (= messages). People using Twitter will immediately settle in.

Mastodon offers two-factor authentication (2FA) and several privacy settings. Another important point is the risk of being impersonated.

Security and privacy settings

In order to find all settings, you have to enter https://[your-mastodon-instance]/settings/profile in your web browser or click on the cogwheel icon resp. “Preferences”.

Security tip 1: Enable 2FA

Two-factor authentication ensures that you have to provide two factors each time you try to log in. The first factor is your password. The second factor is a generated time-based one-time password (OATH-TOTP) in this example. We will use our YubiKey, however, there are apps like “FreeOTP” which can be used to generate one-time passwords on your smartphone.

To enable 2FA, go to your settings and then “Two-factor Auth” (/settings/two_factor_authentication). You will see a button to set up 2FA on your screen:

An image showing the TOTP settings of Mastodon.
This is the initial screen when you set up 2FA for the first time. (🔍 Zoom in)

After proceeding, you see a QR code and the secret in plain text. You can either directly scan the QR code using your app or the Yubico Authenticator or you can manually enter the plain-text secret. We recommend to scan the QR code. Important: The secret is actually a secret, so keep it secret!

An image showing a QR code for configuring TOTP apps.
Scan this QR code using your 2FA app or the Yubico Authenticator. Enter the generated one-time password below and click on 'Enable'. (🔍 Zoom in)

If you use the Yubico Authenticator, you have to go to “File > Scan QR Code”. The Yubico Authenticator recognizes the QR code and shows the following dialog. Just click on ‘Save credential’.

An image showing information included in the QR code.
The Yubico Authenticator shows a new entry after scanning the QR code. You only have to save this. (🔍 Zoom in)

You finally have to enter your freshly-generated one-time password below the QR code (‘Two-factor code’ field) and click on “Enable”. After that, Mastodon shows you emergency recovery codes. Store them in a secure place (e.g., print them on paper). They are also secrets!

An image showing backup codes for TOTP.
After entering your freshly-generated one-time password, Mastodon will show you emergency codes. Store these codes offline (e.g., print them on real paper!). They are also secrets! (🔍 Zoom in)

When you return to the Two-factor Auth setting, it will show “Two-factor authentication is enabled”. Now you have to enter your password plus OTP token each time. Done!

An image showing TOTP settings with TOTP enabled.
2FA is enabled! Now you have to enter your password plus OTP token each time. (🔍 Zoom in)

The process described above is similar for most other websites which provide TOTP-based 2FA. So feel free to enable OATH-TOTP whenever possible.

Security tip 2: Monitor sessions activity

Mastodon stores your last logins. It is important to monitor this list to ensure that there is no suspicious activity like unknown IP addresses or web browsers accessing your account. Go to the “Security” page (/auth/edit).

There is a “Sessions” section which shows you web browsers and IP addresses of your last logins. Revoke suspicious sessions and regularly check this page. You can see the User-Agent of a web browser if you hover your pointer over the short description.

An image showing active sessions in Mastodon.
The 'sessions' section shows information about web browsers and operating systems you (or somebody else!) used to log in. (🔍 Zoom in)

Security tip 3: Monitor authorized apps

Of course, you can use third-party apps to access Mastodon. It is important to monitor these apps. Maybe you stopped using an app months ago but didn’t log out? Go to “Authorized apps” (/oauth/authorized_applications) to see a list like below. Be sure that all apps shown on the list are your apps.

An image showing authorized apps in Mastodon.
These apps are authorized to connect with your Mastodon account. Revoke unused apps immediately! (🔍 Zoom in)

Privacy tip 1: Check your “post privacy”, and “disclose application” settings

Besides security, there are privacy settings. These settings are on the “Preferences” page (/settings/preferences). Look for “Post privacy”:

  • Public posts are visible for everyone on the internet.
  • Unlisted posts aren’t visible on your timeline, but people can still see them if they know the link.
  • Followers-only posts are somewhat private so only your followers can see them.

These are the default settings for all future posts. You can also change this explicitly for every toot by clicking on the “world” icon before tooting (this includes direct messaging).

You can also:

  • Opt-out of search engine indexing: Avoid to be indexed by Google and other search engines.
  • Hide your network: Enable this to hide the list of your followers and people you are following.
  • Disclose application used to send toots: Disable this to hide the name of apps you use to post on your Mastodon instance

Privacy tip 2: Use “authorized followers” feature

If you lock your account (go to “Edit profile” /settings/profile), you have to manually approve each new follower. This enables the “authorized followers” feature (/settings/follower_domains).

The page “Authorized followers” allows you to effectively block complete Mastodon instances if you think that this has to be done (e.g., if somebody uses an instance for spamming).

An image showing authorized followers in Mastodon.
After locking your account, you can remove Mastodon instances from your follower list, effectively blocking the whole instance. (🔍 Zoom in)

Privacy tip 3: Host your own Mastodon instance

Yeah, we don’t like the “simply host your own server” tip since securely hosting your own services is never easy. But as shown before in our XMPP: Admin-in-the-middle article, admins can often access even private information and may be in full control of your personal data.

Hosting your own Mastodon instance gives you more control over your data but also comes with more responsibilities in terms of server security and management.

Additional tips

We have several more tips for you:

  • Always use a Mastodon instance which has the latest version of Mastodon installed. Several instances are still running really old versions of Mastodon. This can be a security risk for your personal data. There are several publicly-known vulnerabilities in Mastodon versions before 2.4.4, resp. before 2.5.2.
  • Check the security and privacy configuration of your Mastodon instance by using online assessment tools. Be aware that the results can be misleading or irrelevant!
  • Support the admin of your Mastodon instance!

Follow us on Mastodon:


Mastodon’s security and privacy features allow you to make your Mastodon experience more secure and keep non-public posts private. Get familiar with these features and find your personal use cases. Last but not least, support the admin of your Mastodon instance and look for security-related updates!


  • Apr 28, 2019: Added “Disclose application used to send toots”.

Read also