Mastodon 4.6 Introduces Mandatory Two‑Factor Authentication Controls and Profile Collections
What Happened — The open‑source social network Mastodon released version 4.6, adding “Collections” (curated, shareable lists of profiles) and a server‑side option to require two‑factor authentication (2FA) for all member accounts. Administrators can now enforce 2FA across one or multiple instances and users receive notifications when they are added to or removed from a collection.
Why It Matters for Compliance & Audit Readiness
- Enforcing 2FA directly addresses SOC 2 CC6.1 (Logical Access) and provides a clear, auditable control that can be continuously monitored.
- The collection‑notification workflow creates a traceable record of user consent and profile changes, supporting evidence‑based compliance with privacy‑related criteria (e.g., CC5.2).
- Verisq’s SOC 2 Access Controls capability can automatically capture MFA enforcement status and change‑log evidence to satisfy audit requirements.
Who Is Affected — Social‑media platforms, federated micro‑blogging services, and any organization that hosts or integrates with Mastodon instances (technology SaaS, media, education, and nonprofit sectors).
Recommended Actions
- Review your MFA policy against SOC 2 CC6.1 and configure Mastodon (or any federated server you operate) to enforce 2FA for all users.
- Document the enforcement setting and retain change‑log snapshots as audit evidence.
- Map the new collection‑notification feature to privacy‑control requirements (CC5.2) and verify that opt‑in/opt‑out mechanisms are consistently applied.
Source: Help Net Security – Mastodon 4.6 Release
Technical Notes
- No new CVEs were disclosed; the change is a platform‑level configuration update.
- The “Collections” limit (25 profiles per collection) is a design control to mitigate spam and abuse.
- 2FA enforcement is optional per server but can be mandated by administrators.