Facebook now supports 2FA via authenticator apps

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

Facebook has good news for users who wish to secure their accounts with two-factor authentication but aren’t comfortable sharing their phone number with the social network: there’s now an option to use authenticator apps to receive the second authentication factor.

Facebook 2FA via authenticator apps

The move was announced on Wednesday by Facebook’s product manager Scott Dickens.

“We previously required a phone number in order to set up two-factor authentication, to help prevent account lock-outs. Now that we have redesigned the feature to make the process easier to use third-party authentication apps like Google Authenticator and Duo Security on both desktop and mobile, we are no longer making the phone number mandatory,” he said.

The National Institute of Standards and Technology (NIST) is advising against using SMS-based two-factor authentication as the method is vulnerable to attack.

An attacker can convince the mobile operator to redirect the victim’s mobile phone to the attacker and receive the code via SMS. Or, a malicious app on the endpoint can harvest information sent via SMS.

Dickens did not mention how many users already enabled 2FA via SMS.

How to set up Facebook 2FA via Authentication App

The process of enabling two-factor authentication has also been streamlined.

Users are required to go to Settings > Security and Login, press the Edit button next to the Use two-factor authentication option, and follow the instructions provided once they press the Get Started button.

Users should choose the 2FA via Authentication App option, can set up by simply scanning the offered QR code (see image above), and then confirm the set up by entering the confirmation code provided by the app. They are also give the option of allowing logins without a code for 1 week or not.

Once 2FA is set up, Facebook will ask for the login code any time users log in on a phone or computer the service does not recognize.