Two step authentication in Facebook – go do this now

Do you have anything on Facebook that you wouldn’t want anyone hacking into – photos, private messages, your endless list of Paolo Nutini likes? If you’re nodding your head vigorously just now, it’s time to ramp up the security of your Facebook login.

Two step authentication

Two step authentication is a mechanism where, if you log in using a device that the site doesn’t recognise, it’ll use a secondary form of authentication to make sure you are who you say you are and not some crazy spammer/snooping friend/MI5 agent.

This secondary form of confirmation comes from either an SMS text massage to your phone or through an authentication code you can generate on the mobile app.

It makes logging in from new devices a little more complicated but the added security makes hacking your account all that much more difficult.

So, to set it up.


Go to the Facebook website and click into the settings tab for your account (the arrow to the right of the home link) and click on the Account Settings link towards the bottom of that. You should see this:

Now click on the Security tab in the left hand menu.

Security Tab

For a start (and unrelated to this), make sure that the first setting – Secure Browsing – is set to enabled. This will encrypt all traffic between your browser and Facebook and there’s no reason not to have this switched on.

Now have a look at the 3rd option – Login Approvals. This is what will be used to set up two step authentication.

Click on the edit link next to this and then check the checkbox next to “Require me to enter a security code each time an unrecognized computer or device tries to access my account“.

Facebook will now pop up a wizard that will guide you through setting up the steps. Have your phone to hand.

Read through the info then hit Set Up Now and Facebook will send you a confirmation code via SMS. Once you get the code through (it can take a few minutes), enter it where prompted then continue through to the next stage of set-up.

If all has gone well, you’ll now get a success message:

Code Generator

As well as getting access codes via SMS, you can use the Facebook app (on Android at least) to generate access codes as well. The next step of the wizard take you through setting this up.

If you have an Android phone, click to continue and follow the instructions to see how to generate the code on your phone. I’m not going into the details here as there’s no real user input involved and the way it’s accessed could change at any time.

So, you now have two step authentication set up.

Access Control

The next thing to check in your security settings is what’s accessing your account. Click edit on the recognized devices tab and see if there’s anything in there that doesn’t look familiar.

This is a list of every device you’ve allowed access to your Facebook account. So, anything you don’t recognise, just delete them. You can always grant access again if you need to.

App Passwords

Facebook supports open authorization to allow apps access. So, when you connect an app to your Facebook account, you don’t have to give the app your password. You’ll have seen this when you’ve been redirected to Facebook with a button to confirm access. This is a great way of handling authentication between apps as your password is never shared.

However, not all apps support this. DrawSomething was a notable culprit that needed you to enter your Facebook password within its system to connect to Facebook. There are several reasons you don’t want any old app having access to your password, not limited to:

  • you also use that password for your email/online banking/safe
  • if the app gets hacked, you don’t want to have to change your password everywhere
  • you don’t really trust the app makers not to do anything crazy with your account

For these situations, Facebook supports app passwords. These are individual logins you can create for a specific app and can be revoked by you at any time. So, DrawSomething can have its own login to your account, as can your mobile app and your tablet app.

If you want to revoke access for any of these, it’s just a case of deleting that app password.

Let’s set it up on your phone.

Setting up an app password for your mobile Facebook app

Make sure you’re signed into Facebook on your PC. Go to the security tab (as per the steps above).

Sign out of the Facebook app on your phone.

Click on the app passwords tab and select the Generate app passwords link. You’ll get something like this:

Click on Generate app passwords then enter a name for your new authenticated app:

Facebook will now generate a new password for that app:

Now, on your phone, log in to your Facebook app using your normal username/email address but using the newly generated password. If all has gone to plan, it should log in as normal. The difference being this time that your password isn’t being shared by the app.

If your phone goes missing, you can just delete that app login and whoever has thieved it won’t be able to access your account.

You can follow the same procedure for any other apps that want to access your account.

And, your account is now that little but more secure.

There is a very similar process for setting up two step authentication with Gmail which you also really should be doing. Go do that next if you haven’t already.

Kevin Wilson

.NET developer, JavaScript enthusiast, Android user, Pebble wearer, sometime musician and occasional cook.

One thought on “Two step authentication in Facebook – go do this now

  1. 2-Factor Authentication wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. Just the fact that we are still living in a password world is annoying. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control.

Leave a Reply

Your email address will not be published. Required fields are marked *