Facebook Is Beefing Up Its Two-Factor Authentication
Good news for those looking to secure their Facebook accounts: The social network says users can now sign up for two-factor authentication using apps like Duo and Google Authenticator, which will strengthen people’s security on the site. Previously, you could only sign up for the feature with a phone number, though you could also enable tools like physical security keys and Facebook’s own code generator that lives within the app itself.
Facebook has been quietly rolling out the update over the last month and says it is now available to most users. The company also says it has streamlined the on-boarding process for two-factor authentication, making it easier for users to access the added layer of protection. The update comes several months after the social network was criticized for using people’s two-factor authentication phone numbers to send them spam messages, a problem Facebook later admitted was a bug. The update also follows Facebook’s announcement that it would begin overhauling its privacy menu following the Cambridge Analytica scandal.
Two-factor authentication, or 2FA, helps make your accounts across the web more secure. When you sign in, the feature requires that, in addition to your password, you enter a unique code retrieved via either SMS or a code-generating app. While it’s not a panacea, 2FA makes your accounts significantly better protected from hackers and other threats. If your password is stolen or otherwise lost, malicious actors won’t be able to access your account, because they lack the two-factor authentication code that lives on your phone. Security experts recommend that you turn the feature on for any site you can, and most major websites now have it. (You can check out a comprehensive list here.)
Despite two-factor authentication’s many benefits, most users still don’t have the feature enabled on their accounts. Pete Voss, Facebook’s security communications manager, declined to cite how many people use it on the social network. “I can just say that we’ve gotten the feedback that people want it to be easier, people do take security seriously,” he says.
To turn on two-factor on your Facebook account, go to Settings, then look for Security and Login on the left-hand side. Toward the bottom, you will see an option to Use two-factor authentication. While it’s easier to set up two-factor using a phone number, users should really opt in for one of Facebook’s newer 2FA offerings.
That’s because SMS two-factor authentication is a weaker form of security than using an authentication app or hardware tool like a YubiKey. While it’s better than nothing, skilled hackers can and have gotten around SMS 2FA. Voss declined to say whether Facebook has experienced incidents where it has been exploited, but other social networks like Twitter have suffered high-profile attacks in which activists like DeRay McKesson have had their accounts breached by hackers exploiting SMS 2FA. In that incident, the hackers impersonated McKesson to his cellular provider, successfully rerouted his text messages to a new SIM card, and obtained his 2FA login code. (Twitter has since begun accommodating authentication apps.)
Authentication apps are safer because they’re connected to your specific device, not to your number. Which brings up an important point: What happens if you lose your phone and have two-factor turned on? In the event that happens, you need to have backup access codes saved in a safe, memorable place, like on a piece of paper in a locked drawer. Facebook allows you to generate up to 10; they also come in handy when you’re traveling and don’t necessarily have access to your normal cellphone. When you set up 2FA, at the bottom of the screen you will see the option to generate Recovery Codes.
While you’re at it, you should sign up for 2FA on Instagram as well. When you turn it on, the app will automatically take a screenshot of your backup codes and save it to your camera roll on iOS. For now, the only 2FA option on Instagram is SMS, but using it is better than merely protecting your account with a password. WhatsApp, another Facebook-owned service, also has a form of two-factor authentication that you can enable. It allows you to set a six-digit pin that you will need to enter if you register your number with WhatsApp again. This prevents someone else from trying to register with your phone number on another device.
Ultimately, Facebook’s expansion to third-party 2FA authentication apps is a minor update. But as security on social networks becomes more and more crucial, it’s also one that can’t be made enough.