Skip to content
Naked Security Naked Security

How to set up 2FA on your Facebook account

As Facebook continues to embed itself into the fabric of our social and online lives - or, perhaps it's more correct to say, as we let Facebook continue to embed itself in our lives - it's increasingly important that we keep our accounts safe from unauthorized use.

As Facebook continues to embed itself into the fabric of our social and online lives – or, perhaps it’s more correct to say, as we let Facebook continue to embed itself in our lives – it’s increasingly important that we keep our accounts safe from unauthorized use.
If you barely ever log in to Facebook, you might not be too concerned about what could happen if someone gets into your account. But with Facebook being the biggest social media network on the planet with more than two billion users, and even if not all of those users are active or tied to a real person, it is increasingly used as a service to prove we are who we claim to be.
Facebook is entrenching itself to be indelibly tied to our entire identity online: How often have you seen Facebook authentication offered as a way to post comments on websites, or to register or log in to an app or service?
For many Facebook users, if someone were to gain access to their account, this would go beyond a mere annoyance – that person could also have access to their accounts on other apps, access to all sorts of sensitive information about them, their families, friends, and coworkers. From a reputation perspective alone, there’s a lot of potential for real-life consequences.
That’s why it’s a very good idea to take the security of your Facebook account seriously, and thankfully Facebook has made it reasonably easy to manage. A complex, unique password for Facebook is a great starting point – and if you haven’t changed it in a long while, take a moment to do it – but we also encourage you to take the security of your account to the next level and enable two-factor authentication as well.
Two-factor authentication (2fA) isn’t just a good idea, it’s a great idea: Someone trying to log in to your account needs more than just your password (“something you know”), they also need access to a phone or device that you own (“something you have”). This extra layer of security is simple to set up – we’ll walk you through it below – and can provide great peace of mind.

How to set up 2FA on your Facebook account

You will need:
1) Access to your Facebook account via a computer.
2) A phone number that can receive Text Messages (SMS) OR a smartphone that can run the Facebook app.
The 2FA process will tie your Facebook account to your phone number as a method of proving who you are. If the idea of Facebook having your phone number makes you uneasy, you can still use 2FA with just a code generator app and a Universal 2nd Factor (U2F) security key like a Yubikey – but to use U2F you must also use a code generator app, which still requires a smartphone. So keep that in mind.
For the purposes of this walkthrough, we’ll assume you’re okay with tying your Facebook account to your phone number, as this makes setting up 2FA quite simple.
1) On your computer, log in to your Facebook account and click the drop down arrow at the top right of the page on the blue notification bar. (It’s to the right of the question mark.) Look at the bottom of the menu and hit “Settings,” and on the next screen hit “Security and Login” on the menu on the left.
2) Scroll down to the “Setting Up Extra Security” section, and you’ll see a “Use Two-Factor Authentication” header.

Click “Edit” and a whole submenu will expand. Let’s start at the top – you’ll see “Two-factor authentication is off.” Hit “Set up” to get started.
3) If you haven’t at any point told Facebook your mobile phone number, you will now be prompted to add either a phone OR a code generator and security key to proceed. As noted above, we’re going the phone route in this walkthrough. Hit “Set Up Second Factors.”
4) You’ll be back in the 2FA submenu. In the “Text message (SMS)” field, hit “add phone” and follow the prompts to confirm your phone number. By the end of the process, you’ll be asked to confirm that you want to set up 2FA for your account, with an additional option to not require a second factor (like an SMS code) for the next seven days to *disable* 2FA on your account.
Whichever option you choose, when you’re done, hit “Enable” and Facebook will helpfully notify you that 2FA is well and truly on:

That’s it! You’ve now enabled 2FA on your Facebook account. Next time you try to log in, after entering your password, Facebook will text you a 6 digit code that you’ll need to enter to complete the login process.
While you’re in the security menu, take a look at the other options here and enable as much as you feel comfortable with: “Get alerts for unrecognized logins” for example is a great idea, especially paired with 2FA. This means if someone tries to log in to your account and doesn’t enter the correct code, Facebook will helpfully let you know next time you successfully log in:

Combining the unrecognized logins with 2FA works like a canary in the coal mine, letting you know someone’s (unsuccessfully) trying to access your account, and that it’s time for you to change your password.
If you’d rather not get text messages every time you log in, you can go one step further and use the Facebook app’s built-in code generator or a third-party code generator app to get that 6 digit code to verify it’s you. If you opt to use the built-in code generator in the Facebook app, keep in mind that you need to be logged in to the Facebook app on your smartphone for it to work, so this verification method will only work in verifying a new device or browser. This isn’t likely to be an issue for most people, but if you tend to log in and out of your smartphone’s Facebook app, you’re better off using a third-party code generator app, like Google Authenticator.
Whichever method you use, you’ll need to be at a computer to set up your method of choice with your smartphone handy. Here’s what you need to do to get a code generator method set up:

  • For the Facebook in-app code generator, click “Set up” next to the “Code Generator” option in the Two-Factor Authentication submenu and follow the prompts.
  • For a third-party code generator app, click “third party app” in the Code Generator text option and follow the prompts.

Will you be enabling 2FA on your Facebook account, or have you already?

10 Comments

Despite being a security minded IT person my biggest issue with this move by FB is giving them my cell phone number. Just another piece of information they can add to their arsenal of marketable merchandise.

I’m with you – I’m a big 2FA proponent but didn’t have it enabled on my FB account for a very long time as I also didn’t want them to know my cell phone number — but I am never on FB much anymore, so there’s that I suppose. (The only way to win is not to play.)

I tried to setup 2FA on my Facebook account using Google Authenticator – it still required my phone number, which I don’t feel comfortable giving to Facebook. If I’m using Google Authenticator, why would it need a phone number? Just seems crazy to me.

when texting costs money per text, is there another method of 2FA that facebook understands? email the number, perhaps?

You pay to *receive* texts? Here in the UK, not only is it free to receive texts, but even a modest prepaid mobile plan will let you send 100s, 1000s or even unlimited messages a month. Some 2FA systems let you put in a voice number that they’ll call and read out the code to you.

Assuming you have a smartphone, the code generator within the Facebook app or a third-party code generator do not require using text messages. (I didn’t see an option to have Facebook call or email you with the code.)

@IT Guy; @Megan:
Do you really think your phone number is “private” or “secret”???

Not at all, but I would still prefer it not to be “public” and I have infinitely more control of who else has it by not sharing it with an organization that’s primary business focus is sharing people’s personal information. A company I might add that recently took seven months to mitigate accidental exposure of phone numbers..

Let’s see here. . . loads of phone numbers exposed via Facebook, but somehow I am supposed to feel confident using my phone number to protect my account? Tell me how that’s supposed to make me sleep all comfy at night.
Next suggestion please. . .

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?