How to Secure Your Call of Duty Account With Two-Factor Authentication

With the launch of Season 3 on April 2, 2026, Activision embedded a significant account security change inside the latest Ricochet anti-cheat update for Call of Duty: Black Ops 7 and Warzone. Every newly created Activision account used by a free-to-play PC player now requires SMS two-factor authentication before that player can access multiplayer. The requirement is not cosmetic. Activision stated plainly that it "also cuts down the pool of accounts used for cheating and helps reduce account fraud." What makes this moment worth your attention: the rollout is already confirmed to expand to existing accounts over the coming weeks, meaning even veteran players with years of progression and bundles invested need to treat this as an active task, not a future consideration.

Why Activision Is Pushing 2FA Now

The Season 3 Ricochet update is the most layered anti-cheat release in the Black Ops 7 cycle so far. Beyond SMS verification, it introduces behavioral detection for unauthorized input modification devices such as Cronus Zen and XIM Matrix, plus new in-game notifications warning PC players who do not meet TPM 2.0 and Secure Boot requirements that failing to enable those features will eventually restrict playlist access. The thread connecting all of these measures is the same: Activision is trying to close off every cheap re-entry point a banned player can exploit.

Account recycling has historically been one of cheating's most dependable tools. A ban costs a cheater roughly nothing if a fresh throwaway account takes minutes to create and requires no verification. SMS 2FA attacks that loop directly by tying a phone number to registration. As Activision put it, "raising the barrier to entry makes it harder for banned cheaters to create new accounts and return." Phantom Overlay, a prominent cheat provider, was forced to shut down in March 2025, and four additional providers followed as part of ongoing enforcement. The SMS mandate is the logical complement to those takedowns: legal pressure removes the software, account verification raises the cost of deploying whatever replaces it.

Account Theft Is Not Just an Inconvenience

It is worth pausing on what actually gets lost when a Call of Duty account is compromised, because the scale tends to surprise people outside the community. One hacked player described losing level 815 progression, a diamond-ranked competitive record, and every bundle purchased across multiple seasons, describing the situation bluntly: "I can't even earn it back." Skins bought through the store are non-transferable. Ranked resets cannot be reversed by a support ticket. If a hijacker uses a stolen account for cheating and triggers a permanent ban before the original owner notices, the account recovery process becomes significantly more complicated, because Activision's enforcement team has to untangle whether the ban was earned legitimately.

This is why "account theft is a gameplay problem" is not a dramatic framing. Your Operator bundles, your Camo unlocks, your Ranked SR ladder position, and any linked payment methods are all inside that one login. Securing it is no different from securing the disc, the console, or the subscription.

SMS 2FA Is a Floor, Not a Ceiling

Activision's new mandate uses SMS as its verification mechanism, which is appropriate for the specific anti-cheat use case: forcing cheaters to attach real phone numbers to throwaway accounts significantly degrades their ability to operate at scale. For your personal account security, however, SMS 2FA carries a known vulnerability called SIM-swap fraud, where an attacker convinces a mobile carrier to transfer your phone number to a SIM they control, intercepting every text-based code you receive.

App-based authenticators solve this problem. Both Microsoft Authenticator and Google Authenticator generate time-limited codes locally on your device, with no SMS transmission that a carrier can intercept. Warzone Mobile already required authenticator-app 2FA as standard for Activision account logins, which signals where Activision's own security thinking is heading even as SMS serves as the mass-rollout starting point. If your Activision account settings offer an authenticator-app option alongside SMS, use the app. The setup takes roughly three minutes and the protection gap between the two methods is substantial.

Locking Down Every Account in the Chain

A Call of Duty session touches more than one account. Your Activision login connects to a platform account on Battle.net, Steam, Xbox Live, or PlayStation Network, and that platform account ties to an email address. Compromising any one link in that chain can expose everything downstream.

The per-platform logic matters practically. According to the official Season 3 Ricochet documentation, if you own Black Ops 7 on Battle.net but play Warzone on Steam, the SMS 2FA requirement applies specifically to your Steam-linked account, because ownership and verification are evaluated separately for each linked platform. That means enabling 2FA on your Activision account alone does not fully cover you if your Steam or PlayStation Network login has no second-factor protection.

The priority order for enabling 2FA:

Equally important: use a unique password for each service and store them in a password manager rather than a browser. Credential-stuffing attacks (where stolen username and password pairs from one breach are tried against Call of Duty logins automatically) are one of the most common causes of account hijacking and are almost entirely defeated by unique passwords.

Phishing and Shared Devices

Activision and Microsoft will never ask for your password or a 2FA code via email or direct message. If a message claims your account needs urgent verification and asks you to click a link, navigate to Activision's account page directly through your launcher rather than through any link in the message. The urgency framing is the tell: legitimate security prompts from Ricochet appear inside the game client or through the official account management portal, not through Discord messages or emails that recreate the Activision logo.

On shared PCs or family consoles, avoiding saved browser authentication tokens is straightforward: use a separate Windows user account for your gaming session, and enable console-level family account features on PlayStation and Xbox to prevent accidental purchases from a shared profile.

If Your Account Is Already Compromised

Activision maintains a dedicated Hacked Account Recovery page for exactly this scenario. The immediate steps are: change your password on both the Activision account and the associated email, remove any linked payment methods if the account management panel still allows access, enable 2FA immediately, and then contact Activision support through that recovery portal with purchase receipts and account verification details. Transaction history and original registration email evidence are the primary tools support agents use to confirm ownership. The more documentation you can produce, the faster the process moves.

What Season 3 Signals Going Forward

The Season 3 changes sit inside a broader trajectory. TPM 2.0 and Secure Boot notifications this season become playlist restrictions next. SMS 2FA for new accounts this month expands to existing accounts within weeks. Ricochet's remote attestation through Microsoft Azure already verifies system security settings against trusted external servers. Each of these measures assumes that the hardware and the account belong to the same legitimate person. Players who have hardened their accounts before enforcement expands are insulated from the friction that enforcement rollouts create for accounts that suddenly find themselves flagged for verification. The steps above are available right now and none of them require waiting for a prompt.