2FA setup on Facebook changed with the aim of increasing user security

Facebook has eliminated the need for users to register a phone number in order to set up two-factor authentication (2FA) in a move intended to get more users to add in another layer of security, according to a press release by Facebook’s product manager Scott Dickens.

To authenticate logins, the social network now enables users to employ a third-party app such as Google Authenticator or Duo Security on both desktop and mobile. The company has also revamped its 2FA feature with a “streamlined setup flow that guides you through the process”.

“Two-factor authentication is an industry best practice for providing additional account security and we just made it easier to set up,” wrote Dickens.

Text messages are the most common second factor although, due to the vulnerability of text messages to a number of threats, security professionals have been advising against using SMS for verification for a long time. Facebook has been offering SMS-based 2FA for a while now and will continue to do so, but using other means such as a hardware device or an authenticator app is generally viewed as safer.

There is no word on how many Facebook users actually use 2FA. On Google accounts, for example, the data are rather grim, as fewer than one in ten Google account holders utilize 2FA.

What to do?

To enable two-factor authentication on your Facebook profile, navigate to “Settings”, then to “Security and Login”, and then to the “Use two-factor authentication” section, where you can choose and set up your 2FA method of choice. While you’re at it, you may also want to peruse your other privacy and security settings.

Many online services, including the biggest players, nowadays offer at least one of the 2FA methods. The availability of 2FA on various online services can be checked on this site.

While not a cure-all, the extra authentication factor offers a valuable additional layer of protection in exchange for very little effort. It is safe to say that 2FA would have prevented countless account break-ins over the years had the legitimate account holders turned it on.

That said, it should not detract from the importance of having a strong and unique password or, even better, passphrase.