Why Facebook Accounts Are a Favorite Target

turn on Facebook 2FA

A hijacked Facebook account is valuable. Attackers use stolen accounts to run scam ads with your payment methods, message your friends with phishing links, and take over any business pages you manage. And anyone who has tried to recover a hacked Facebook account knows the process can drag on for weeks.

Two-factor authentication stops most of these takeovers before they start. Even with your password in hand, an attacker hits a wall at the second step.

Where the 2FA Setting Lives

Meta moves this setting around occasionally, but as of now,

the path is:

  1. Open Facebook and go to Settings & privacy → Settings.
  2. Click Accounts Center (usually at the top).
  3. Select Password and security.
  4. Click Two-factor authentication and choose your Facebook account.

On mobile, the same path applies: Menu → Settings & privacy → Settings → Accounts Center → Password and security → Two-factor authentication.

Your Three Options, Ranked

1. Authentication App (Best Choice)

Facebook supports any standard TOTP app. Setup takes a minute:

  1. Choose Authentication app from the 2FA options.
  2. Facebook shows a QR code and a text key.
  3. Scan the QR code with your authenticator app, or type the key manually.
  4. Enter the six digit code the app generates to confirm.

The code changes every 30 seconds and never travels over the network. If you're new to authenticator apps, our comparison of the best authenticator apps will help you pick one. You can also verify your setup key works with our free TOTP generator.

2. Security Key (Strongest, Less Convenient)

Facebook supports hardware security keys over USB, NFC, and Bluetooth. A physical key is immune to phishing because it verifies the real facebook.com domain before responding. It's the right choice for page admins, advertisers, and public figures. For everyone else, an authenticator app hits the sweet spot.

3. SMS Codes (Better Than Nothing)

Facebook can text you a login code. The problem: your phone number can be stolen through SIM swapping, and Facebook accounts tied to phone numbers have historically been targets for exactly that attack. We explain the risks in our post on why SMS 2FA is not safe enough. Choose the app instead.

Save Your Recovery Codes Right Now

After enabling 2FA, Facebook offers recovery codes: ten single use codes that get you in if your phone is lost or broken.

  1. In the Two-factor authentication settings, find Additional methods → Recovery codes.
  2. Generate the codes and store them somewhere safe that is not your phone.

A password manager entry or a printed sheet in a safe place works. Skipping this step is the number one cause of permanent Facebook lockouts. We wrote a whole guide on how backup codes work if you want the details.

Extra Protections Worth Turning On

  • Login alerts: In Password and security, enable alerts for unrecognised logins. You'll get a notification the moment someone signs in from a new device.
  • Review active sessions: Check "Where you're logged in" and log out any device you don't recognise.
  • Trusted contacts are gone: Facebook retired the old trusted contacts feature, so recovery codes matter more than ever.

If You Manage a Facebook Page or Ad Account

Meta requires 2FA for many business accounts, and for good reason: hijacked ad accounts get drained fast. Every admin on your page should enable 2FA individually. One admin without it is an open side door to the whole page.

An account takeover doesn't just cost you your profile. Attackers routinely charge thousands of dollars in scam ads to saved payment methods before the owner notices.

Frequently Asked Questions

I turned on 2FA but Facebook keeps asking for codes. Is that normal?

Facebook asks for a code when you log in from a new browser, device, or location. Tick "Trust this device" on your personal machines and the prompts settle down. Frequent prompts on the same device usually mean your browser is clearing cookies.

Can I use 2FA on Facebook without a phone number?

Yes. An authenticator app needs no phone number at all. In fact, removing your phone number as a 2FA method makes your account more resistant to SIM swap attacks.

What if I lose my phone and my recovery codes?

You'll have to go through Facebook's identity verification, which may require photo ID and can take days or weeks. There is no guaranteed outcome. This is why saving recovery codes at setup time matters so much.

Does Facebook 2FA cover Messenger and Instagram too?

Messenger uses your Facebook login, so yes. Instagram is a separate account with its own 2FA setting, even if it's linked in Accounts Center. See our separate guide on enabling 2FA on Instagram.

Which authenticator app works with Facebook?

Any TOTP standard app: Google Authenticator, Authy, Microsoft Authenticator, Bitwarden, 1Password, and others. Facebook's QR code follows the open standard, and you can test any secret with our browser based 2FA code generator.

Shoyeb Akter

Written by

Security Tools Developer and creator of 2FA Fast — a privacy-first browser-based authenticator and security tools platform.