Account hijacking is a big problem on Facebook, where attackers manage to guess—or brute-force—your passwords. Two-factor authentication can help make it harder for criminals to take over your account.
When attackers breach the account, the end goal may be just to send spam or to trick your friends into clickjacking scams. The attacker may also be using Facebook as a stepping stone to other attacks. Regardless, it makes sense to protect your account with something a bit stronger than just passwords.
Enter two-factor authentication, a way to make it harder for criminals to break in to your account. Facebook rolled out two-factor authentication two years ago as “Login Approvals” so that users could protect themselves from account hijackings.
There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options, and the most common combination is the password and a one-time code sent to a cell phone.
In the case of Facebook, the one-time password is either sent via SMS message to a non-Android or iOS phone, or generated on the Facebook mobile app for Android and iOS devices. With Login Approvals enabled, someone trying to break into your account needs to know more than just your email address and password. That person will also need your mobile device to obtain the additional security code.
Login Approvals works a little differently from other site implementations in that the user is asked to enter that security code only when the login is from an unrecognized device. If someone tries to log in from somewhere else, that attempt would be blocked. But if that person stole your laptop and tries to log in to your account, there won’t be a security prompt because Facebook recognizes the device.
Even so, enabling Login Approvals is a good idea in most cases because it adds extra layer of security. In general, if you have multiple defenses in place, attackers will just give up and find an easier victim.
Turning on Login Approvals
To set up two-factor authentication, click on the gear icon on the top right corner of the page, and select “Account Settings” from the drop-down menu. When you click on “Security,” you will see several settings, including “Login Approvals.” Clicking on the option opens up a checkbox, “Require a security code to access my account from unknown browsers.”
Facebook will walk you through the process step-by-step, explaining how to receive the security code on your mobile device and where to type it in whenever you want to access your account from an unknown location. You can receive SMS messages to non-Android or non-iOS devices, or use the latest version of the Facebook app on Android and iOS. In the Facebook mobile app, there is a Code Generator that generates one-time passwords that are used for Login Approvals.
Whether you decide to use SMS messages or the Facebook app, the challenge will ensure only people who know your account credentials and have physical access to your mobile device can actually log in. If you, as the user, accidentally lose your phone, you aren’t automatically locked out since you always have the option to log back in using a recognized device.