Mastodon 4.6 ships with two major additions that actually matter: native two-factor authentication controls baked directly into the platform, and a new profile Collections feature that lets users organize their posts into curated groups. Help Net Security has the full breakdown, and if you care about where federated social media is heading in 2026, this release is worth your attention.
The 2FA improvement is the one that should land hardest. Mastodon is now giving instance administrators and individual users more granular control over how authentication is enforced — meaning server operators can require two-factor authentication site-wide, and users can manage their own 2FA settings with less friction than before. That is not a small thing. That is Mastodon finally treating account security like a first-class feature rather than an afterthought buried in a settings menu nobody visits.
The Fediverse Has a Security Debt and This Is a Down Payment
Let’s be honest about where federated social has been on security. For years, the Mastodon experience for anyone who wasn’t already technically literate meant navigating account protection that ranged from inconsistent to outright confusing depending on which instance you landed on. Two-factor authentication existed, but enforcement was entirely at the discretion of whoever ran your server. A lot of those server operators are volunteers running instances in their spare time. Security hygiene varied wildly.
The new 2FA controls in Mastodon 4.6 give administrators a real enforcement lever. If you run an instance for journalists, activists, or anyone operating under genuine threat — and plenty of Mastodon users fit that description — you can now mandate two-factor authentication across your entire community. That’s the kind of baseline protection that centralized platforms like Instagram or Twitter have had for years. Mastodon getting there isn’t embarrassing. It’s necessary.
What’s actually embarrassing is how long the broader tech industry spent treating 2FA as optional. SMS-based two-factor authentication, which most platforms still default to, is not secure. SIM-swapping attacks have drained crypto wallets, hijacked media accounts, and compromised political campaigns. The gold standard is authenticator apps or hardware security keys — TOTP codes or FIDO2, not a six-digit text message that a bored teenager in a Discord server can intercept with a single phone call to your carrier.
Mastodon’s new implementation leans toward the stronger options. That matters. When legislators are increasingly pushing platforms to take user safety seriously, the technical infrastructure underneath has to actually hold up. A law mandating stricter access controls means nothing if the platform’s authentication layer is made of tissue paper.
Profile Collections Are Quietly Brilliant
The Collections feature deserves its own moment. Mastodon 4.6 lets users build curated groupings of their own posts directly on their profile — think of it like pinned posts but with actual structure. You can surface a thread you’re proud of, a running series, or a body of work without relying on third-party tools or hoping the algorithm surfaces the right content.
Here’s the thing: Mastodon doesn’t have an algorithm. That’s a feature, not a bug, for a specific type of user. But the absence of algorithmic curation also means good content gets buried fast. Collections is a manual, human-powered answer to that problem. It’s the platform saying: you decide what people see first.
Compare that to what’s happening on the other side of the fence. Instagram extending its recommendation algorithm to the main feed is the opposite philosophy entirely — the platform decides what you see, optimized for engagement metrics that have nothing to do with what you actually care about. Mastodon Collections hands that control back. It’s a small feature with a pretty clear ideological statement underneath it.
Why Two-Factor Authentication Still Fails Most People
Even with better tooling, the hard truth is that most people don’t use two-factor authentication properly. Adoption rates for strong 2FA — authenticator apps or hardware keys — remain low across every major platform despite years of campaigns, breach headlines, and increasingly loud warnings from security researchers. The problem isn’t awareness anymore. The problem is friction.
Enabling 2FA takes two minutes. Recovering access when you lose your device takes considerably longer and can permanently lock you out if you didn’t save backup codes. Platforms that make setup easy but recovery nightmarish are training users to avoid it. Mastodon’s new controls are a step forward, but they only work if the UX doesn’t punish people for turning the feature on in the first place.
The answer isn’t to stop pushing 2FA. The answer is passkeys. Passkeys — the FIDO2-based standard built into modern phones and laptops — eliminate the recovery problem almost entirely while being more phishing-resistant than any code-based system. They’re already rolling out across Google, Apple, and Microsoft accounts. Mastodon should be thinking about passkey support as the logical next step after 4.6’s 2FA improvements. The fediverse wants to position itself as the thoughtful alternative to corporate social media. Shipping passkeys before the big platforms do it properly would be a genuine statement.
Until then, Mastodon 4.6 is a real, substantive release. It fixes things that were broken. It adds tools that people will actually use. And somewhere out there, a Mastodon instance administrator is pulling up their server settings right now, clicking the new “require two-factor authentication” toggle, and feeling the specific quiet satisfaction of finally having a button that does exactly what it says.