Securing Facebook and Facebook Messenger

Multi-factor authentication

Multi-factor authentication is a security measure that requires two or more proofs of identity to grant you access.

This step-by-step guide shows you how to secure your Facebook account with the use of multi-factor authentication (MFA), also known as two-factor authentication for Facebook.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is when you use two or more steps to verify your identify, and you may already be using MFA. For example, when you receive an authentication code by text message after entering your password to log into your online banking account. MFA is one of the best ways to protect against someone breaking into your account. It makes it harder for cybercriminals to take over your account, by adding extra layers of protection.

MFA requires you to use a combination of two or more of the following factors to access your accounts:

  • Something you know (e.g. a PIN, password or passphrase);
  • Something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and
  • Something you are (e.g. a fingerprint, facial recognition or iris scan).

MFA defends against the majority of password-related cyberattacks. For example, MFA protects against credential stuffing where cybercriminals use previously stolen passwords from one website and try to reuse them elsewhere so they can gain access to more accounts.

Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from cybercriminals trying to break in. Even if they break through one layer (for example, by guessing your password), they still need to break a second barrier to access your account.

Having an extra step can be inconvenient at first, but remember that taking shortcuts leaves your system more vulnerable. You are better off spending a few seconds entering a one-time code now, to avoid spending hours later on trying to regain access to stolen data.

MFA often goes by different names. You may see it called two-factor authentication (2FA) or two-step verification. No matter what it’s called, these are still types of MFA and will help keep your account secure.

Turn on MFA for your Facebook account

The screenshots below show the Facebook app, however the steps for Facebook Messenger will be similar.

  1. Open the Facebook app. Tap the three stacked lines in the bottom right. Scroll down to the bottom and tap Settings & Privacy, then tap Settings.
Screenshot of Facebook page
  1. Tap Password and security.
Screenshot of Facebook page
  1. Tap Use two-factor Authentication. You may be asked to enter your password at this point.
Screenshot of Facebook page
  1. Follow the on-screen instructions to set-up two-factor authentication, using a security key on a compatible device, an authentication app (recommended), or text message.
Screenshot of Facebook page

Authenticator apps are mobile applications that generate a random ‘one-time password’ (OTP) to verify your identity when you log in.  They are generally considered more secure than a text message. Learn more about using authenticator apps

If you select the text message option, you can either use a mobile number already linked to your Facebook account, or a different mobile number. Learn more about using text messages for two-factor authentication

A security key is a small hardware that can be used to keep your Facebook account secure. Learn more about security keys

  1. Tap Authentication app and follow the on-screen instructions. You can either scan a QR code, or manually enter a code into your authentication app. This will do the same thing: to link your authentication app to your Facebook account. Once you have done this step, tap Continue.
Screenshot of Facebook page
  1. You will be asked to enter a 6-digit code. This code is a one-time pin generated by your authentication app, which is usually valid for 30 seconds. Open your authentication app, view the code, and go back to your Facebook app to enter the code on the below screen. Then, tap Continue.
Screenshot of Facebook page
  1. A ticked box will appear next to two-factor authentication at the top of your settings, when it has successfully been turned on.
Screenshot of Facebook page
  1. Go back to your two-factor authentication screen (step 3), and tap Recovery codes.
Screenshot of Facebook page
  1. Save them in a safe place that you will remember, such as a password manager.  Without these codes, you might not be able to log in to your account if you lose access to your phone or if the authenticator is not working.
Screenshot of Facebook page

Security Tips

We have included some additional security tips to help keep your account secure.

  • Log out of Facebook if you are using a device that you share with other people, each time. Never tick the ‘remember me’ box when you log in with a public computer, or it will keep you logged in even after you close the browser window. Even better: don’t use a public computer to access your social media accounts.
  • Pick a strong password and never share it with anyone. It is also a good idea to change your password regularly.
  • Check your privacy settings. By default, everyone on Facebook will be able to see your profile and some people can see if you’re online. If you don’t want this to be the case, you can change these in your account settings. For more information on privacy settings, refer to Facebook’s guidance and for more information on how to stay safe on Facebook, refer to the eSafety Guide.
  • Check third-party apps. It is a good idea to review which apps and websites you’ve given access to your Facebook account. If you find any that are unfamiliar to you, you should remove their access. For more information, refer to Facebook’s guidance.  
  • Never click on links in emails or messages, or open attachments, from people or organisations you don’t know, and do not reply to unsolicited friend requests on Facebook. Crafty scammers may pose as someone you know, or even gain unauthorised access to your friends’ social media account and send you a message that contains a link or attachment, or unusual requests (e.g. asking for money). It can be hard to know if it is legitimate, but the best way to know if your friend or a scammer is behind the message is to check with your friends, offline.
  • Always be wary of opening attachments. If you expected to receive one and it’s a common file type (such as a .PDF or .doc file) then treat the content as read-only: never enter your sign-in details and don’t follow additional links to initiate transactions. If it is a file type that you don’t recognise, then leave it alone.
  • After you have already signed in to using MFA, you have the option to mark your personal device as a trusted device by tapping ‘Trust this device’. This way, you won't have to enter a security code when you log in every time. However, you should only do that with your own device. Do not tap Trust this device if you're using a public or shared device that other people you may not know can access.
Content complexity
Simple
This rating relates to the complexity of the advice and information provided on the page.
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it

Icon for ReportReport a cyber security incident for critical infrastructure Icon for becoming a alertsGet alerts on new threatsAlert Service Become anACSC partner Icon for reportingReport a cybercrime or cyber security incident
Acknowledgement of Country icon
Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.
Authorised by the Australian Government, Canberra