Multi-factor authentication (MFA) Multi-factor authentication (MFA) is when you use two or more steps to verify your identify, and you may already be using MFA. For example, when you receive an authentication code by text message after entering your password to log into your online banking account. MFA is one of the best ways to protect against someone breaking into your account. It makes it harder for cybercriminals to take over your account, by adding extra layers of protection. MFA requires you to use a combination of two or more of the following factors to access your accounts: Something you know (e.g. a PIN, password or passphrase); Something you have (e.g. a smartcard, physical token, authenticator app, SMS or email); and Something you are (e.g. a fingerprint, facial recognition or iris scan). MFA defends against the majority of password-related cyberattacks. For example, MFA protects against credential stuffing where cybercriminals use previously stolen passwords from one website and try to reuse them elsewhere so they can gain access to more accounts. Think of adding MFA to your account like adding a locked security screen to your home. It provides you with an extra layer of protection from cybercriminals trying to break in. Even if they break through one layer (for example, by guessing your password), they still need to break a second barrier to access your account. Having an extra step can be inconvenient at first, but remember that taking shortcuts leaves your system more vulnerable. You are better off spending a few seconds entering a one-time code now, to avoid spending hours later on trying to regain access to stolen data. MFA often goes by different names. You may see it called two-factor authentication (2FA) or two-step verification. No matter what it’s called, these are still types of MFA and will help keep your account secure. Turn on MFA for your Facebook account The screenshots below show the Facebook app, however the steps for Facebook Messenger will be similar. Open the Facebook app. Tap the three stacked lines in the bottom right. Scroll down to the bottom and tap Settings & Privacy, then tap Settings. Tap Password and security. Tap Use two-factor Authentication. You may be asked to enter your password at this point. Follow the on-screen instructions to set-up two-factor authentication, using a security key on a compatible device, an authentication app (recommended), or text message. Authenticator apps are mobile applications that generate a random ‘one-time password’ (OTP) to verify your identity when you log in. They are generally considered more secure than a text message. Learn more about using authenticator apps. If you select the text message option, you can either use a mobile number already linked to your Facebook account, or a different mobile number. Learn more about using text messages for two-factor authentication. A security key is a small hardware that can be used to keep your Facebook account secure. Learn more about security keys. Tap Authentication app and follow the on-screen instructions. You can either scan a QR code, or manually enter a code into your authentication app. This will do the same thing: to link your authentication app to your Facebook account. Once you have done this step, tap Continue. You will be asked to enter a 6-digit code. This code is a one-time pin generated by your authentication app, which is usually valid for 30 seconds. Open your authentication app, view the code, and go back to your Facebook app to enter the code on the below screen. Then, tap Continue. A ticked box will appear next to two-factor authentication at the top of your settings, when it has successfully been turned on. Go back to your two-factor authentication screen (step 3), and tap Recovery codes. Save them in a safe place that you will remember, such as a password manager. Without these codes, you might not be able to log in to your account if you lose access to your phone or if the authenticator is not working. Security Tips We have included some additional security tips to help keep your account secure. Log out of Facebook if you are using a device that you share with other people, each time. Never tick the ‘remember me’ box when you log in with a public computer, or it will keep you logged in even after you close the browser window. Even better: don’t use a public computer to access your social media accounts. Pick a strong password and never share it with anyone. It is also a good idea to change your password regularly. Check your privacy settings. By default, everyone on Facebook will be able to see your profile and some people can see if you’re online. If you don’t want this to be the case, you can change these in your account settings. For more information on privacy settings, refer to Facebook’s guidance and for more information on how to stay safe on Facebook, refer to the eSafety Guide. Check third-party apps. It is a good idea to review which apps and websites you’ve given access to your Facebook account. If you find any that are unfamiliar to you, you should remove their access. For more information, refer to Facebook’s guidance. Never click on links in emails or messages, or open attachments, from people or organisations you don’t know, and do not reply to unsolicited friend requests on Facebook. Crafty scammers may pose as someone you know, or even gain unauthorised access to your friends’ social media account and send you a message that contains a link or attachment, or unusual requests (e.g. asking for money). It can be hard to know if it is legitimate, but the best way to know if your friend or a scammer is behind the message is to check with your friends, offline. Always be wary of opening attachments. If you expected to receive one and it’s a common file type (such as a .PDF or .doc file) then treat the content as read-only: never enter your sign-in details and don’t follow additional links to initiate transactions. If it is a file type that you don’t recognise, then leave it alone. After you have already signed in to using MFA, you have the option to mark your personal device as a trusted device by tapping ‘Trust this device’. This way, you won't have to enter a security code when you log in every time. However, you should only do that with your own device. Do not tap Trust this device if you're using a public or shared device that other people you may not know can access.