We’re big believers in two-factor authentication (2FA) here at Naked Security. With all the account hijackings that have caused so much heartache, headache, stalking and tormenting, we think it’s particularly crucial for services such as Twitter and Facebook – services that have, for better and for worse, fasten themselves to our online lives as tightly as facehuggers in an Alien movie.
We’ve provided guides on how to set up 2FA before, but they came garnished with a big caveat: you’ve had to be comfortable with handing over your phone number to a service that has proved to be a bit butterfingery with users’ personal data.
We 2FA fans have had to live with the trade-off, given that Facebook has required users to have a mobile phone in order to get that second factor via SMS. Because that’s what 2FA is: it’s technology that requires you to prove you are who you say you are to a website or service by using two out of these three things:
- Something you know – like a password.
- Something you have – like a numerical key code.
- Something you are – like a fingerprint.
(For an in-depth, technical discussion of how 2FA works, check out Chester Wisniewski’s 2FA article here.)
But all that required-SMS stuff is now no more. On Wednesday, Facebook announced that it’s made 2FA easier to set up, with a streamlined setup flow that guides you through the process. It’s also now offering other ways to get your second factor besides handing over your phone number.
Facebook’s redesign now makes it easier to use third-party authentication apps – such as, for example, Google Authenticator, Authy, Duo Security, or Sophos Authenticator (here are the links for the iOS and the Android version).
How to set up 2FA on your Facebook account
1) On your computer, log in to your Facebook account. You can click here for Settings, or click the drop down arrow at the top right of the page on the blue notification bar. It’s to the right of the question mark:
2) At the bottom of the menu, click “Settings.” On the next screen, hit “Security and Login” on the menu on the left:
3) Scroll down to Two-Factor Authentication.
4) As you can see in the image above, you now have three choices for 2FA: you can go old-school and use your passcode plus a code from your phone, review a list of devices where you won’t need to use a login code, or get into your apps with special passcodes instead of using your Facebook passcode or login codes.
5) Next, select whether you’d like to use your phone number or an authentication app to add an extra layer of security.
You should choose to use an authenticator app: it’s a safer option.
As we’ve written about before, there are pluses and minuses to either SMS or authenticator apps when it comes to 2FA, but The National Institute of Standards and Technology (NIST) has declared that the age of SMS-based 2FA is over.
A crook can hijack your SMSes with a SIM swap scam. If a crook can convince a mobile phone shop that they’re you, they can get the shop to issue a replacement SIM encoded with your phone number. Your phone will go dead, and theirs will start receiving your calls and messages, including 2FA codes.
We’ve seen SMS at the center of many two-factor hacks, including an incident in August 2016 in which the Telegram accounts of more than a dozen activists, journalists and other people in sensitive positions in Iran were targeted by hackers who intercepted the app’s SMS activation messages.
Facebook hasn’t out and out stuck a fork in SMS-based 2FA just yet, but we will. Say hello to the authenticators instead – it will be easier to do, now that Facebook’s laid out the welcome mat.
kurt
Article would be even better if it listed the names of the authentication apps that fb supports.
3leet haxxor
Four authenticator apps are listed in this article, including the Sophos one (which I use) but AFAIK *any* app that supports TOTP, a ubiquitous time-based 2FA standard, will work.
These days, asking which authenticator app will work with what 2FA service is a bit like asking which photo editing software can load JPEG files – the answer is pretty much “all of them”.
David Pottage
I added TOTP based 2FA to my facebook account at the weekend. It is definitely an improvement. I support 2FA, but I hate SMS based systems, not just because they are less secure, but also because of the time delay they add. My cellular provider normally takes at least a minute to delver an SMS to my phone, sometimes a lot longer so I find the delay in getting into my account annoying. I will usually do something else while I wait for the SMS to arrive, and often I get distracted, so by the time I get back to login I was attempting the token has expired and I have to start the whole process again.
TOTP based 2FA fixes all of that. Any time I need to login, I can pick up my phone, and the code is available instantly. For less important sites I can also add the TOTP secrets into my Keepass DB, and use KeepassXC to fill them into the login form automaticaly.
Róbert Kolcún
Hi, i am using FreeOTP android app for 2FA, as for my work account, Google and Github.
Does facebook support this option?
David Strom
Thanks Lisa for the great information. The problem is that when you add the authenticator app, Facebook automatically sets a parameter to “Allow logins without a code for 1 week” — you can’t turn this off without disabling the auth app. While I am all for moving off SMS as another auth factor, not sure this is the way to do it. I tried to reproduce this and perhaps Facebook has fixed this problem. Does this mirror your experience?