Facebook announced that it has changed how its two-factor authentication works.
Previously, Facebook required users to enter their phone number in order to activate two-factor authentication. With an update, Facebook streamlines the process by accepting apps like Duo Security and Google Authenticator. The company also says the setup process has been refined, resulting in a more simple, guided experience when enabling 2FA.
This update comes a few months after Facebook admitted a bug in its 2FA system that caused non-security-related SMS notifications to be sent to users’ phones.
Facebook has been using the automated number "362-65" as its two-factor authentication number, but that number however, ended up sending people Facebook notifications via SMS without their consent. What made the bug worse is that users replying to these texts made it being posted to the users' Facebook profiles.
Two-factor authentication can come in several forms. While using a phone number is safe, hackers have started using SMS as their method of hacks. An example was an incident in Iran where Telegram accounts were compromised using SMS scam.
To set up two-factor authentication on Facebook profile, users need to go to Settings, and then click on 'Security and Login'. There they can navigate to a section that says 'Use two-factor authentication' and select whether they would like to use their phone number or an authentication app to add an extra layer of security.
After setting that up, users will be presented with a QR code.
Users then need to use an authentication app of choice, create a new login, and scan that QR code. Then type in the six-digit code that is automatically generated on the device into the Facebook prompt, and then they're good to go.
Using authentication apps may sound inconvenient. However, it can be a lot safer.
First of all, using authentication apps is one way to keep users' phone numbers off of Facebook's database. In the wake of GDPR, Facebook - Cambridge Analytics scandal and more security-privacy related concerns about the social media giant, this should appeal privacy-minded individuals.
Second, this method also prevents users from receiving texts every time someone (or even the legitimate user) is trying to log in into their account.
And third, this feature works offline. Users don’t need an internet connection to generate the code. But for additional safety, users can generate a few static backup codes that they can print or write down in case they lose their device.