Guide

How to Set Up Two-Factor Authentication on Facebook

2026-02-01 ยท 5 min read ยท Steven Adams ยท Last reviewed: March 2026

Facebook accounts are among the most commonly targeted by attackers. A compromised Facebook account can be used to send phishing messages to your contacts, post spam, access connected apps, and in some cases lead to financial fraud through Facebook Marketplace or linked payment methods. Two-factor authentication prevents unauthorised sign-ins even when your password has been exposed in a data breach or guessed by an attacker.

In This Guide

  1. How to Enable 2FA on Facebook
  2. Facebook's 2FA Methods
  3. Setting Up Multiple 2FA Methods
  4. Using Trusted Contacts as Recovery
  5. Lost Access to Facebook 2FA?

How to Enable 2FA on Facebook

  1. Log in to facebook.com and click your profile picture in the top right.
  2. Click Settings & privacy โ†’ Settings.
  3. In the left menu, click Security and Login.
  4. Under "Two-factor authentication", click Edit next to "Use two-factor authentication".
  5. Click Get Started.
  6. Choose your preferred method: Authentication app, Text message (SMS), or Security key.
  7. For the authenticator app: follow the prompts to scan the QR code with your app, enter the 6-digit confirmation code, then click Finish.
  8. Facebook will show you a set of recovery codes. Save these immediately.
Recommendation: Use an authenticator app rather than SMS. Facebook accounts are valuable targets and SMS codes can be intercepted via SIM swapping. Authenticator app codes are generated locally and cannot be stolen at the carrier level.

Facebook's Two-Factor Authentication Methods

Authenticator App

This is the recommended method. Any TOTP-compatible app works: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and others. After signing in with your password, Facebook asks for the current 6-digit code from your app. Codes refresh every 30 seconds and work offline.

Text Message (SMS)

Facebook sends a code to your registered phone number. This is convenient but less secure than an authenticator app. If you are already using SMS 2FA, consider switching to an authenticator app for better protection.

Security Keys

Facebook supports hardware security keys (FIDO2/WebAuthn) such as YubiKey. These provide the strongest protection available, particularly against phishing. When you sign in, you tap or insert the key instead of entering a code. Security keys are recommended for accounts with large followings or those used for business purposes.

Facebook Login Alerts

Separate from 2FA, Facebook can notify you whenever your account is signed in from an unrecognised device or browser. Enable this under Security and Login โ†’ Setting up extra security โ†’ Get alerts about unrecognized logins. This does not block a sign-in, but gives you early warning of unauthorised access.

Setting Up Multiple 2FA Methods

Facebook allows you to register more than one 2FA method. It is a good idea to configure both an authenticator app and SMS as a fallback, or register both an authenticator app and a hardware key. Multiple methods ensure you are not locked out if you lose one device.

Using Trusted Contacts as a Recovery Option

Facebook has a feature called Trusted Contacts that allows you to designate 3 to 5 friends who can help you recover your account if you are locked out. Each friend receives a portion of a recovery code. This is a useful backup but requires your trusted contacts to be active Facebook users and responsive. Set it up in Settings โ†’ Security and Login โ†’ Choose 3 to 5 friends to contact if you get locked out.

Lost Access to Facebook 2FA?

Use a saved recovery code if you have one. If not, Facebook provides several fallback options on the sign-in screen: approved devices, trusted contacts, and identity recovery. The process involves confirming your identity through photos, government ID, or contacts. Recovery can take anywhere from a few minutes to several days depending on which method you use.

Related Articles

Guide

How to Set Up 2FA on Instagram

Read โ†’
Security

What Are Backup Codes?

Read โ†’
Recovery

Lost Your Phone? Recover 2FA Access

Read โ†’

Why Facebook Accounts Are Extremely High-Value Targets

Facebook accounts are among the most frequently targeted accounts on the internet. A compromised Facebook account gives attackers access to your personal information, your friends and family network, Facebook Pay details, and โ€” critically โ€” any other accounts where you use "Login with Facebook." Facebook accounts are also used to run fraudulent ads (charged to your linked payment method), send scam messages to your friends, and steal your identity.

Facebook's 2FA Options

Facebook supports authenticator apps, SMS, and hardware security keys. Facebook also has a unique additional feature: you can designate trusted contacts โ€” friends who can help you regain access if you are locked out. Additionally, Facebook offers "Recognised Devices" โ€” devices you have previously used can be saved so that you are not asked for 2FA on those devices in the future.

Facebook's Third-Party App Security

Many users log into other websites and apps using "Login with Facebook." If your Facebook account is compromised, every app or service where you used Facebook login is also at risk. Enabling 2FA on your Facebook account therefore protects all of these connected services simultaneously. Go to Settings โ†’ Apps and Websites to review which services have access to your Facebook account and remove any you no longer use.

Frequently Asked Questions

Does Facebook 2FA protect my Instagram account? Not automatically โ€” Instagram is a separate Meta platform with its own 2FA settings, even though the accounts are linked. Enable 2FA on Instagram separately.

Can I use a hardware security key with Facebook? Yes โ€” Facebook supports FIDO2 security keys on both desktop browsers and the Facebook mobile app via NFC or USB-C.

What is Facebook's login alert setting? In Security and Login settings, enable alerts about unrecognised logins. You will be notified immediately if someone else accesses your account from a new device or location.