Meta changed how two-factor authentication works for Facebook and Instagram last year. You might have received notifications about this, but it was easy to miss in the platform’s sea of red alerts. OK, so what’s different? “Any devices you’ve frequently used Facebook on in the past two years will be automatically trusted,” reads Meta’s updated settings page. Your smartphone and laptop may not need a 2FA code to log in, unless you go into your settings and opt out.
Over time, Meta has made multiple tweaks to how it deploys 2FA. In 2018, it started to allow 2FA codes generated by third-party apps. A few years later, the company began requiring more vulnerable accounts to activate 2FA protection. The company faces a tricky balance between making it easy to log in to your account and protecting users from losing control of their online identities.
Enabling 2FA is a basic way to improve the security of any online profile, since it adds an extra layer of difficulty for hackers trying to break into your account. “The role two-factor plays is, basically, to assume that at some point your password is going to be known by someone else,” said Casey Ellis, founder and chief strategy officer at Bugcrowd, a crowdsourced security company that has previously collaborated with Facebook. “You don’t have control over when or how that happens.” For users, this fallback measure is often as easy as copying and pasting a quick code from within a smartphone app, like Google Authenticator.
Anyone with a social media account on Facebook or Instagram needs to turn on two-factor authentication in their privacy settings. No shame if you haven’t, but do it right now by logging in to your Account Center, clicking Password and security, then Two-factor authentication.
Now that you’ve got it all set up, here’s what was changed with Meta’s 2FA process: It’s no longer activated anywhere you often used Facebook or Instagram in the past two years, from previous-generation smartphones to hand-me-down laptops.
What’s the reasoning for this adjustment? “As part of our continuous work to balance account security and accessibility, we’re letting people know that we’ll be treating the devices they frequently use to log in to Facebook as trusted,” said Erin McPike, a Meta spokesperson.
Facebook via Reece Rogers
Want to activate a 2FA check for every device, even where you use Facebook or Instagram the most? While Meta previously offered an option to opt out completely, you now need to manually remove any devices that you don’t want to be trusted. Do this by opening the Account Center, then going to Password and security. You may need to enter your password after choosing Two-factor authentication and the account you want to adjust. Scroll all the way down to the Authorized logins section and choose Recognized devices.
Here you’ll see every device where Meta won’t require a login code. You may be surprised by some of the old devices on the list. While the company claims it’s just for devices you used in the past two years, one option on my trusted list was an iPad accessed all the way back in 2013.
Facebook via Reece Rogers
Yes, it’s common for social media platforms to trust certain devices for users, and security measures beyond 2FA may continue to provide protection for your account, but the automatic aspect makes experts uneasy. “My immediate security reaction is that it’s going to lock in long-term access to all of those logged-in things,” said Ellis, around the time of the update. Any change that puts more onus on the user to protect their security opens up more opportunities for mistakes and potential breaches.
After you’ve revoked trust for all the random iPads you used forever ago, what else can you do to improve the security for your Meta accounts? Always use a new, complex password. Also, make sure to wipe the data from your dusty smartphones and laptops with a factory reset before selling or otherwise getting rid of them.
Updated 3/5/2024, 5:30 pm EST: Included new details about how Facebook’s 2FA process works for users.
