How to Set Up Two-Factor Authentication on Facebook

Facebook accounts are among the most commonly targeted by attackers. A compromised Facebook account can be used to send phishing messages to your contacts, post spam, access connected apps, and in some cases lead to financial fraud through Facebook Marketplace or linked payment methods. Two-factor authentication prevents unauthorised sign-ins even when your password has been exposed in a data breach or guessed by an attacker.

How to Enable 2FA on Facebook

1. Log in to facebook.com and click your profile picture in the top right.
2. Click Settings & privacy → Settings.
3. In the left menu, click Security and Login.
4. Under "Two-factor authentication", click Edit next to "Use two-factor authentication".
5. Click Get Started.
6. Choose your preferred method: Authentication app, Text message (SMS), or Security key.
7. For the authenticator app: follow the prompts to scan the QR code with your app, enter the 6-digit confirmation code, then click Finish.
8. Facebook will show you a set of recovery codes. Save these immediately.

Facebook's Two-Factor Authentication Methods

Authenticator App

This is the recommended method. Any TOTP-compatible app works: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden, and others. After signing in with your password, Facebook asks for the current 6-digit code from your app. Codes refresh every 30 seconds and work offline.

Text Message (SMS)

Facebook sends a code to your registered phone number. This is convenient but less secure than an authenticator app. If you are already using SMS 2FA, consider switching to an authenticator app for better protection.

Security Keys

Facebook supports hardware security keys (FIDO2/WebAuthn) such as YubiKey. These provide the strongest protection available, particularly against phishing. When you sign in, you tap or insert the key instead of entering a code. Security keys are recommended for accounts with large followings or those used for business purposes.

Facebook Login Alerts

Separate from 2FA, Facebook can notify you whenever your account is signed in from an unrecognised device or browser. Enable this under Security and Login → Setting up extra security → Get alerts about unrecognized logins. This does not block a sign-in, but gives you early warning of unauthorised access.

Setting Up Multiple 2FA Methods

Facebook allows you to register more than one 2FA method. It is a good idea to configure both an authenticator app and SMS as a fallback, or register both an authenticator app and a hardware key. Multiple methods ensure you are not locked out if you lose one device.

Using Trusted Contacts as a Recovery Option

Facebook has a feature called Trusted Contacts that allows you to designate 3 to 5 friends who can help you recover your account if you are locked out. Each friend receives a portion of a recovery code. This is a useful backup but requires your trusted contacts to be active Facebook users and responsive. Set it up in Settings → Security and Login → Choose 3 to 5 friends to contact if you get locked out.

Lost Access to Facebook 2FA?

Use a saved recovery code if you have one. If not, Facebook provides several fallback options on the sign-in screen: approved devices, trusted contacts, and identity recovery. The process involves confirming your identity through photos, government ID, or contacts. Recovery can take anywhere from a few minutes to several days depending on which method you use.