How to Set Up Two-Factor Authentication on Facebook

You want to lock down your Facebook account so a stolen password alone can't get anyone in. Two-factor authentication adds a second check at login: after your password, Facebook asks for a code from an app, a text, or a physical security key.

The setup now lives inside Meta Accounts Center, not the old Security and Login menu. The path is nearly identical on the web, the iPhone app, and the Android app, and you'll land on the same three methods to choose from.

Before you start, make sure you're logged into the account you want to protect. Facebook will ask you to re-enter your current password, and it may send a one-time confirmation code to your WhatsApp or email to verify it's really you. Have a safe place ready to store the recovery codes you'll be offered at the end.

Open Accounts Center on Any Device

Every method starts from the same place. The wording differs slightly by platform, but the destination is the same: Password and security inside Accounts Center.

On the web at facebook.com:

1. 1.Click your profile picture in the top-right.
2. 2.Click Settings & privacy, then Settings (or go straight to facebook.com/settings).
3. 3.Open Accounts Center in the left sidebar.
4. 4.Click the Password and security tab, then click Two-factor authentication.

On the Android app: tap the menu (three lines, upper-right), then Settings & privacy > Settings > Accounts Center > Password and security > Two-factor authentication.

On the iPhone or iPad app: tap your profile picture (lower-right), then Settings & privacy > Settings > Accounts Center > Password and security > Two-factor authentication.

If more than one profile or Page is linked in your Accounts Center, you'll need to select the account you want to secure. Then re-enter your password if prompted, and enter the confirmation code Facebook sends to your WhatsApp or email. You'll now see three methods to choose from.

Method 1: Set Up an Authentication App (Recommended)

This is the method Facebook flags as recommended, and reviewers agree it's stronger than SMS. It uses a TOTP authenticator app such as Google Authenticator, Duo Mobile, or Authy. Install one first; if you don't have it, Facebook offers to send you to the App Store or Google Play.

From the mobile app:

1. 1.Choose Authentication app and tap Next.
2. 2.Tap Copy key to copy the setup string (or scan the displayed QR code if you can).
3. 3.In your authenticator app, tap the plus icon and choose Enter a setup key, selecting Time based if prompted, then paste the key.
4. 4.Copy the 6-digit code your authenticator now shows for Facebook.
5. 5.Return to Facebook, enter the 6-digit code, and tap the blue Next button before the code expires.
6. 6.Save the recovery codes you're offered, then confirm. Success reads "Two-factor authentication is on."

On the web, the flow is the same: pick Authentication app, click Next, click Copy key (also shown as Copy keys) and paste it into your app or scan the QR code, enter the 6-digit code, click Next, then click Done.

The 6-digit code is time-based and refreshes roughly every 30 seconds. Enter it and confirm quickly; if it rolls over, just use the new code.

Method 2: Use a Text Message (SMS) or WhatsApp Code

This method is quick to set up, but it's the weakest. Anyone who can access your phone or intercept your texts can potentially get the code, so prefer an app or security key if you can.

1. 1.From Two-factor authentication, select Text message (SMS) or WhatsApp.
2. 2.For SMS, enter your phone number and tap Confirm.
3. 3.Check your texts (or WhatsApp) for the 6-digit code, enter it, and tap Next.
4. 4.Save the recovery codes when offered.

On the web, note that Facebook may send the identity-confirmation code via WhatsApp or email rather than as a phone text. If a code doesn't arrive, check your signal, restart the phone, or request a resend.

Method 3: Register a Security Key or Passkey

A security key or passkey is the strongest option. With one set up, an attacker can't log in even if they know your password or trick you onto a phishing site, and you can authenticate without your phone or a third-party app.

1. 1.Go to Accounts Center, then Password and security.
2. 2.Tap Two-factor authentication.
3. 3.Tap the Security keys option.
4. 4.On the next page, tap Register security key and follow the prompts.

You can register a USB or Bluetooth key, or set up a passkey using another device (a laptop or another phone) or your phone's fingerprint or Face ID unlock. Setting up a passkey on a second device is what lets you sign in even when your primary phone isn't with you.

Save Your Recovery Codes and Add a Backup Method

Recovery codes are your safety net if you lose your phone or authenticator. Each code works only once, so store the full set the moment it's shown by screenshotting, printing, or saving to a password manager.

To find them later on the web, open your Two-factor authentication settings, look under Additional methods, and select Recovery codes. Write them down and keep them somewhere safe.

While you're there, consider adding a second method. The Add a backup method section lets you pair, for example, an authenticator app with a security key, so losing one doesn't lock you out.

What to Do If You Can't Complete 2FA at Login

If you're at the login code-entry screen and can't produce a code, you still have options. Don't restart the whole login; look for the backup path on that screen.

1. 1.On the code-entry screen, select Need Another Way to Authenticate?
2. 2.Choose an alternative: enter a saved recovery or backup code, or use a different 2FA method you set up.
3. 3.Alternatively, try logging in from a device Facebook has previously recognized.
4. 4.If you still can't receive codes by phone or app, follow Facebook's "Troubleshoot login with two-factor authentication" help article.

A Note for Business and Workplace Accounts

The steps above cover a personal account. Turning on a 2FA requirement for a Business Portfolio, an organization-managed Meta account, or a Workplace account is handled through separate Business Help Center and organization-admin pages, not the personal flow.

Also keep two similarly named features apart: using WhatsApp to receive a Facebook 2FA code is not the same as WhatsApp's own "two-step verification" for a WhatsApp Business phone number. They're configured in different places.

Frequently Asked Questions

Which method should I choose? An authentication app or a security key. Facebook marks the authentication app as recommended, and a security key is the strongest because it blocks logins even on a phishing site. SMS is the weakest, since codes can be intercepted by anyone with access to your texts or phone.

The 6-digit code keeps expiring before I can enter it. What's wrong? Nothing. Codes from an authenticator app are time-based and refresh roughly every 30 seconds. Type the current code and tap Next quickly; if it rolls over, just enter the new one shown.

Where did the old Security and Login menu go? Two-factor settings now live in Meta Accounts Center. Go to Settings > Accounts Center > Password and security > Two-factor authentication. If several profiles or Pages are linked, select your account after tapping Two-factor authentication.

What happens if I lose my phone or authenticator? Use one of the recovery codes you saved during setup; each works once. You can also log in from a device Facebook already recognizes, or set up a passkey on a second device ahead of time so you're never dependent on a single phone.

I'm not receiving the SMS code. What can I do? Check that you have signal, restart the phone, and request a code resend. On the web, Facebook may send the confirmation code by WhatsApp or email instead of text. If codes still won't arrive, follow Facebook's troubleshooting help article for two-factor login.

Do I need to re-enter my password to change these settings? Yes. Facebook re-confirms it's you before letting you change two-factor settings, and it may also send a one-time code to your WhatsApp or email as part of that check.