How to Set Up 2FA on Facebook with an Authenticator App
Protect your Facebook account from hacking with two-factor authentication. Step-by-step guide to setting up 2FA using an authenticator app instead of SMS codes.
Facebook accounts are among the most commonly hacked accounts on the internet. Compromised Facebook accounts are used for scams, identity theft, and spreading malware to your friends and family. Whether you use Facebook daily or haven’t logged in for months, securing it with two-factor authentication takes less than three minutes and dramatically reduces the risk of unauthorized access.
Why an Authenticator App, Not SMS?
Facebook offers SMS codes, authenticator apps, and security keys for 2FA. Use an authenticator app:
- SIM-swapping targets Facebook accounts. Attackers can port your phone number to intercept SMS codes. High-profile Facebook and Instagram account takeovers frequently start with a SIM swap.
- No phone number required. You can use an authenticator app without giving Facebook your phone number (one less data point for the platform).
- Works everywhere. Authenticator apps generate codes offline — no waiting for texts, no carrier issues.
What You’ll Need
- A Facebook account
- A phone with an authenticator app (FactorCat, Google Authenticator, or any TOTP-compatible app)
Step-by-Step Setup
On Desktop (Browser)
1. Open Security Settings
Go to facebook.com/settings → Accounts Center → Password and security → Two-factor authentication.
Select the Facebook account you want to protect (if you have multiple accounts in your Accounts Center).
2. Choose Authentication App
Facebook presents three options:
- Authentication app (recommended)
- Text message (SMS)
- Security key
Select Authentication app and click Continue.
3. Scan the QR Code
Facebook displays a QR code and a setup key.
Open your authenticator app:
- In FactorCat: Tap + → Scan QR Code. Facebook is identified and labeled automatically.
- In other apps: Scan the QR code or enter the key manually.
4. Enter the Verification Code
Enter the current 6-digit code from your authenticator app. Click Continue.
5. Done
Facebook confirms 2FA is active. You’ll be asked for a code from your authenticator app when signing in on unrecognized devices.
On Mobile (Facebook App)
- Tap the menu icon (three lines) → Settings & privacy → Settings
- Tap Accounts Center → Password and security → Two-factor authentication
- Select your account → Authentication app
- The app may offer to auto-configure your authenticator, or display a QR code/key
- Add the token to your authenticator app and enter the verification code
Save Your Recovery Codes
After enabling 2FA, go back to the Two-factor authentication settings and look for Recovery codes. Generate and save them:
- Facebook gives you 10 single-use recovery codes
- Store them somewhere safe — not on your phone
- These are your backup if you lose your authenticator device
Facebook’s account recovery process without 2FA backup codes is unreliable. Many users who lose access to their 2FA device and don’t have recovery codes never regain access to their account.
What About Facebook’s “Recognized Devices”?
Facebook remembers devices you’ve signed in from before. On recognized devices, you won’t be asked for a 2FA code every time. This is convenient but means you should periodically review your recognized devices:
Go to Settings → Security and login → Where you’re logged in. Remove any devices or sessions you don’t recognize.
Tips
- Protect your email. Your Facebook recovery email is the keys to the kingdom. If an attacker controls your email, they can reset your Facebook password. Set up 2FA on Google/Gmail or whatever email provider you use.
- Beware “account disabled” scams. Messages or emails saying your account will be disabled unless you “verify” via a link are phishing. Facebook doesn’t operate this way.
- Review connected apps. Settings → Apps and websites → remove any you don’t use. Old connected apps can be exploited.
- Use a strong, unique password. If your Facebook password is the same as any other account, change it now.
Next Steps
Facebook is secured. These accounts are next:
- Set up 2FA on Instagram — same Meta family, same attacker motivation
- Set up 2FA on Google — protect the email behind your Facebook
- Set up 2FA on Discord — another social account worth protecting
Signing into Facebook on a new device shouldn’t mean fumbling with a separate authenticator app. FactorCat sends a push to your phone, you tap approve, and the code fills into the browser automatically. Set up once, forget about it.