Facebook 2FA no longer needs a phone number: here’s how to set it up

We’re big believers in two-factor authentication (2FA) here at Naked Security. With all the account hijackings that have caused so much heartache, headache, stalking and tormenting, we think it’s particularly crucial for services such as Twitter and Facebook – services that have, for better and for worse, fasten themselves to our online lives as tightly as facehuggers in an Alien movie.

We’ve provided guides on how to set up 2FA before, but they came garnished with a big caveat: you’ve had to be comfortable with handing over your phone number to a service that has proved to be a bit butterfingery with users’ personal data.

We 2FA fans have had to live with the trade-off, given that Facebook has required users to have a mobile phone in order to get that second factor via SMS. Because that’s what 2FA is: it’s technology that requires you to prove you are who you say you are to a website or service by using two out of these three things:

  • Something you know – like a password.
  • Something you have – like a numerical key code.
  • Something you are – like a fingerprint.

(For an in-depth, technical discussion of how 2FA works, check out Chester Wisniewski’s 2FA article here.)

But all that required-SMS stuff is now no more. On Wednesday, Facebook announced that it’s made 2FA easier to set up, with a streamlined setup flow that guides you through the process. It’s also now offering other ways to get your second factor besides handing over your phone number.

Facebook’s redesign now makes it easier to use third-party authentication apps – such as, for example, Google Authenticator, Authy, Duo Security, or Sophos Authenticator (here are the links for the iOS and the Android version).

How to set up 2FA on your Facebook account

1) On your computer, log in to your Facebook account. You can click here for Settings, or click the drop down arrow at the top right of the page on the blue notification bar. It’s to the right of the question mark:

2) At the bottom of the menu, click “Settings.” On the next screen, hit “Security and Login” on the menu on the left:

3) Scroll down to Two-Factor Authentication.

4) As you can see in the image above, you now have three choices for 2FA: you can go old-school and use your passcode plus a code from your phone, review a list of devices where you won’t need to use a login code, or get into your apps with special passcodes instead of using your Facebook passcode or login codes.

5) Next, select whether you’d like to use your phone number or an authentication app to add an extra layer of security.

You should choose to use an authenticator app: it’s a safer option.

As we’ve written about before, there are pluses and minuses to either SMS or authenticator apps when it comes to 2FA, but The National Institute of Standards and Technology (NIST) has declared that the age of SMS-based 2FA is over.

A crook can hijack your SMSes with a SIM swap scam. If a crook can convince a mobile phone shop that they’re you, they can get the shop to issue a replacement SIM encoded with your phone number. Your phone will go dead, and theirs will start receiving your calls and messages, including 2FA codes.

We’ve seen SMS at the center of many two-factor hacks, including an incident in August 2016 in which the Telegram accounts of more than a dozen activists, journalists and other people in sensitive positions in Iran were targeted by hackers who intercepted the app’s SMS activation messages.

Facebook hasn’t out and out stuck a fork in SMS-based 2FA just yet, but we will. Say hello to the authenticators instead – it will be easier to do, now that Facebook’s laid out the welcome mat.