How to Enable Two-Factor Authentication on Facebook (2026 Guide)

Two-factor authentication (2FA) on Facebook adds a second lock to your account. Even if someone gets your password, they still need a code from your phone to sign in. Microsoft research shows that this one step blocks over 99.9% of automated account attacks. Here is how to turn it on in a few minutes.

Facebook accounts are a top target for hackers. Your profile contains years of personal information, private messages, photos, and connections to friends and family. A stolen Facebook account can be used to impersonate you, scam your contacts, or access other services you signed into with Facebook Login.

Why does Facebook 2FA matter?

Facebook has nearly 3 billion active users as of 2026, and it remains one of the most commonly breached platforms. Attackers use stolen passwords from other data breaches to try to break into Facebook accounts — a technique called credential stuffing.

If you have ever reused a password across websites, your Facebook account could be at risk right now. Without 2FA, all an attacker needs is your email and password. With 2FA enabled, they also need a code from your phone — which they do not have.

Want to know if your email has already been exposed in a breach? Check if your email was leaked — it is free and takes a few seconds.

How do you turn on 2FA on Facebook step by step?

Facebook moved its security settings into what they call “Accounts Center” in recent years. Here is the exact path to follow as of 2026.

On a phone (Facebook app):

1. Open the Facebook app and tap your profile picture in the bottom right.
2. Tap the gear icon or “Settings & privacy.”
3. Tap “Settings.”
4. Tap “Accounts Center” at the top. This is Meta’s unified settings area.
5. Tap “Password and security.”
6. Tap “Two-factor authentication.”
7. Select your Facebook account (if you have multiple Meta accounts linked).
8. Choose your preferred method — “Authentication app” is recommended.
9. Follow the on-screen instructions to complete setup.

On a computer (facebook.com):

1. Click your profile picture in the top right corner.
2. Click “Settings & privacy,” then “Settings.”
3. Click “Accounts Center” in the left menu.
4. Click “Password and security.”
5. Click “Two-factor authentication.”
6. Select your Facebook account.
7. Choose “Authentication app” as your method.
8. Follow the steps to scan the QR code and confirm.

After you complete these steps, Facebook will ask for a verification code whenever someone tries to sign in from a new device or browser.

Should you use an authenticator app or SMS for Facebook 2FA?

Facebook gives you three options for receiving your second factor:

Authenticator app (recommended). Apps like Google Authenticator or Authy generate a new 6-digit code every 30 seconds directly on your phone. The code is created locally and never sent over the network, making it the most secure option.

SMS text message (good). Facebook sends a code to your phone number via text. This is convenient but less secure than an authenticator app. SMS codes can be intercepted through SIM swapping attacks, where a hacker convinces your phone carrier to move your number to their SIM card. As of 2026, SIM swapping is still a common attack method.

Security key (most secure). A physical device like a YubiKey that you plug into your computer or tap on your phone. This is the most secure option but costs money and requires carrying the key with you.

For most people, an authenticator app is the best choice. It is free, secure, and easy to use. If you already have one set up for another account like Gmail, you can add Facebook to the same app.

How do you set up an authenticator app for Facebook?

1. Download Google Authenticator or Authy from your phone’s app store if you do not already have one.
2. In Facebook’s 2FA settings (Accounts Center, then Password and security, then Two-factor authentication), select “Authentication app.”
3. Facebook will show a QR code on your screen.
4. Open your authenticator app and tap the plus button to add a new account.
5. Scan the QR code with your phone’s camera through the authenticator app.
6. The app will start generating 6-digit codes that change every 30 seconds.
7. Enter the current code into Facebook to confirm everything is connected.

That is it. Your authenticator app is now linked to your Facebook account.

How do you save your Facebook recovery codes?

When you enable 2FA, Facebook provides a set of recovery codes. These are your emergency backup if you ever lose your phone or cannot access your authenticator app.

1. In Accounts Center, go to Password and security, then Two-factor authentication.
2. Look for “Recovery codes” or “Backup codes.”
3. Facebook will show you a list of codes. Each one can be used once.
4. Write them down on paper or print them. Store the paper somewhere safe at home.
5. Do not save them in a text file on your phone — if you lose your phone, you lose the codes too.
6. Do not take a screenshot and leave it in your camera roll where anyone could see it.

If you ever use a recovery code, it becomes invalid. You can generate a new set of codes from the same settings page at any time.

What else should you do to secure your Facebook account?

Turning on 2FA is the most impactful step, but these additional measures help too:

• Use a unique password — do not reuse your Facebook password on any other website. If you need a strong password, read our guide on how to create a strong password
• Review active sessions — in Accounts Center under Password and security, click “Where you’re logged in.” Log out of any sessions you do not recognise
• Check for breaches — see if your email has appeared in known data breaches and change your password immediately if it has
• Be cautious with Facebook Login — every app you signed into with “Log in with Facebook” has some access to your data. Review and remove apps you no longer use

To learn more about what 2FA is and how it protects you, read our full explainer: What is two-factor authentication and how do you set it up?

Browse our breach database to see which companies have been compromised and what types of data were exposed.

Frequently asked questions

Will I need to enter a code every time I open Facebook?

No. Facebook remembers devices you have used before. You will only be asked for a code when you sign in from a new device or browser you have not used before. On your usual phone or computer, you will not notice any difference.

Can I use 2FA on both the Facebook app and the website?

Yes. Two-factor authentication protects your entire Facebook account, not just one app or device. Once you enable it, it works everywhere you sign in — the mobile app, desktop website, and any other device.

What if I lose access to my authenticator app?

Use one of the recovery codes Facebook gave you when you set up 2FA. If you did not save them, you can use your recovery phone number or go through Facebook’s identity verification process, which may involve uploading a photo ID.

Does Facebook 2FA protect my Instagram too?

Not automatically. Even though Facebook and Instagram are both owned by Meta and share the same Accounts Center, 2FA must be turned on separately for each account. See our guide on how to enable 2FA on Instagram for those steps.