Facebook has never seemed to have a particularly friendly relationship with security and privacy. After all, the more Facebook knows about you, the more the company can profit from the social graph. But while the company has implemented some fine security features for users, the way they present them leaves a lot to be desired.
Take 2-factor authentication, which is what we'll discuss in-depth in this article. Facebook actually supports multiple second factors (text messaging, its own apps, voice calls, third party apps). But getting to them is less than obvious and, in some cases, requires you to sacrifice some personal security to gain some Facebook account security.
Also, since Facebook does have so many authentication options for the second factor (after you type in your user name and password), it seems a shame that they don't let the authentication factors stack, so those who need more security could have three-factor authentication.
In exploring Facebook authentication, I discovered two problems. The first I consider just plain uncool. Facebook requires you to enter your actual mobile number into your Timeline in order to receive authentication codes via text message. They also require you to tell the authentication system your mobile number, but until it's part of the Timeline, they won't text you. That's nasty, a possible security flaw, and just unnecessary.
Second, Facebook has built its own second factor authenticator into its app. You can generate a Facebook authentication code from the Code Generator section of the Facebook app. The fatal flaw? That means that the Facebook mobile apps don't have second factor authentication. They are the authentication. That's a huge security issue and I strongly advise Facebook add two-factor authentication to their mobile apps as well.
In any case, before we get started, I wanted to share with you a post that showed up on my Timeline just as I was about to work on this story:
Can you spell "irony"? Sure. I knew you could. Now, let's get started with the real work.
First and second factor
The first factor in Facebook authentication is your user name and password. If you have not changed it since Heartbleed came to the surface, you should,.
By the way, I'm going to do one of these tutorials for Twitter and another for Google/Gmail. Stay tuned. They'll be ready in the next few days.
The first factor is something you know, in this case your user name and password. The second factor is something you have: in this case your phone or app-running tablet.
As a second factor, we're going to look at setting up authentication using the Facebook app itself, as well as by setting up text message confirmations. Unfortunately, the way Facebook handles setting up second factor authentication makes certain assumptions about how you have already set up your account. If you, like me, don't follow the normal norm, things get funky, quickly.
As a result of that experience, I'm going to take you through what may seem like a rather odd procedure for setting up two-factor authentication, but it will help you get around some of the obstacles I ran into.
Download the app first
I'll take you through this process for iPhone and Android phones. Before I get started, please go to the iTunes store or the Google Play store and download the official Facebook app and sign in. Make sure you do this before we go through the rest of the steps. It will be far easier this way.
Facebook really wants your mobile phone number
In order to use second-factor authentication, you will need to provide Facebook with your mobile phone number, a number that can receive text messages. Please note that Facebook will not accept a Google Voice number (a bunch of two-factor sites don't), so you're going to have to part with the actual digits of your actual phone.
Oddly enough, if you just enter the digits in the authentication section, Facebook won't error out, but it won't send you authentication codes.
So before we even get started with security, we're going to do something that may lessen the security for some of you (it did for me). This does infuriate me, but hey, gotta use Facebook, right?
At the top of any main Facebook page, hit the Timeline button, which has your name and profile picture. Mine is shown below:
This will take you to your main timeline. This is mine (one of these days I have to change that picture to one of my car, but that's another story). Go ahead and hit the Update Info button.
This will be the usual Facebook page with all sorts of personal information you probably shouldn't be sharing with the public (or possibly even your friends). One section on the right is Contact Info. My Contact Info section is shown below.
Normally, all the information you can see is the public information I share out here on ZDNet and in my public profile. I'm hiding it this time because I'd really prefer not to have all you call me up with questions about setting up Facebook authentication. I'm helping here, but not looking for a new career. You understand, I'm sure.
The number I listed as my work number is, actually, my mobile number. I never wanted to give Facebook a number it could think of as my mobile number because I didn't want it bugging me all the time. But if you want that extra factor of authentication, you're going to need to enable it. Go ahead and add your mobile number (and make sure it's your real, physical number, not your Google Voice number).
I'd also recommend you set visibility on that to Only Me. That's what I set… but of course, "only me" is really "only me and Facebook." Not thrilled. Really not thrilled.
Once you've entered that information, you'll see your mobile number listed in your contact information like mine was, below:
Notice the Verify link. You'll have to go ahead and click that. You'll now get the following Confirm Your Number screen. I selected the text option, told it to continue… and nothing happened.
I never got the text. I cancelled and tried again. Nope. And again. Nope. So I finally had it give me a call, which it did, quite immediately and politely. I was given a code to enter, which I did on the following screen:
It was then that things started to make sense. Facebook presented me with this screen:
I, of course, left "turn on text notifications" off, because I didn't want to get notifications. As far as I can tell, Facebook interprets that as "don't send any texts, even for authentication." So I didn't get any texts.
It's time to dig into Facebook settings.
Finding the Settings section on the Facebook Web site
No matter which way you set up second factor authentication, you'll need to find the security settings on the Facebook Web site. To do this, find the barely visible down arrow on the far right side of the Facebook blue title bar and click it to display the menu below.
It remains a complete mystery to me why Facebook hides its menu items so that you need to squint to see them, but perhaps it's Zuckerberg's way of getting back at those of us old enough to wear glasses.
Setting up text notifications
Go ahead and click Notifications and then edit the Text message section.
Mine are turned on in this screenshot because I needed to get them working to talk about this, but yours might be off. The Notification Settings will expand, like this:
I've turned on text notifications, but turned off all the fluff I couldn't care to see outside of when I'm specifically looking at Facebook. Hit Save Changes and next we'll move on to Mobile (which you'd think would be grouped with text message settings, but apparently not in ZuckerLand).
Setting up mobile
I've looked for a less convoluted way of telling you how to do this, I swear I have. It's just Facebook. Posting kitten and puppy pictures is easy (as it should be), but protecting your account is not. But ranting also won't protect your account, so back to the grind, eh?
So, now you're going to want to click Mobile from the Settings page. This should say that your mobile phone has been verified, because you did that earlier. But if you're like me, you'll have that big green button that says Activate Text Messaging. Bring on the Advil.
When you click that button, you'll be presented with the following screen, which wants to know your carrier. Mine is Verizon, so that's what I chose:
Ah yes, Frustration, your name is "Activate Facebook Texts (Step 2 of 2)". I texted F (and wanted to finish the word, frankly) to Facebook and instead of getting back a code, got back a message saying "Confirmed!".
I never did get a code, but eventually the green button did go away. I spent way too much time on that for what it was worth, but now we've finally given Facebook all it wants to allow us to use text message authentication.
And that means we're ready to turn on Login Approvals, what Facebook calls its second factor of authentication. Ooh. I'm excited. Are you? Zuckerberg!!! (Imaginary fist waving in the air)
Setting the security settings
Go back to the settings screen. This time, select Security as shown below.
You'll see a stack of security settings. We'll work our way down the first three. Let's start with Login Notifications. Go ahead and hit Edit for that row.
You'll see the Login Notifications settings box expand. This allows you to get an email or text notification when you (or, worse, someone else) logs into your account with a new browser. I set mine to email. It's nice to keep track of whether or not there's any weird activity, but I don't need to get text updates. You can choose either, or both.
Be aware that this doesn't give you a second factor of authentication. But it does give you a bit more information so if your account is accessed, you'll have a better chance of knowing it. I like this feature.
Setting up your second factor (finally)
It's finally time to set up your second factor of authentication. This time, click Edit on the Login Approvals row.
You'll see a single checkbox and if you've followed along and done everything I've suggested, you probably won't erupt in a cacophony of profanity. Go ahead and check it.
Facebook will present this oh-so-helpful help screen. Go ahead and click Get Started.
This is where it becomes apparent that Facebook wants you to use the Code Generator as a primary mechanism. But you still need a mobile number and if you didn't set things up ahead of time, things would start to seem very Alice down the rabbit hole. But you did set up your mobile number in your Timeline (per my advice and painful experience), so you'll see this notification:
Go ahead and click continue. On the next screen, enter your Facebook password and hit Submit.
The following screen shows why you went through all the previous rigamarole. Notice it wants your phone number so it can send you a text message.
But until you go through all the stuff I had at the beginning of this tutorial, Facebook just wouldn't send the text message. I fought these few screens for quite a while before I finally gave in and gave the Timeline my mobile phone's real number.
If you've done everything right, when you get the following screen (which looks a lot like an earlier phone number confirmation screen), you'll actually be able to enter your code. Do so if you can.
If everything works, you'll get a message like this:
I went ahead and checked the checkbox because I do want authentication requests to begin right away. You should, too.
You will also get an option to have Facebook send you a set of backup codes, in case your phone is not available. I chose not to get them for now, but if you do request them, be sure to print them out, store them in a safe place, and remove all record of them from your computer.
At this point, I'm going to assume you were successful entering your code and getting a text. If not, complain to Facebook, not me. I've given you everything I know on that topic.
Preparing to use the Facebook app
Let's go back to Settings and edit the third line of the Security Settings. Make sure you're in the Security section as shown above, find the Code Generator line, and click Edit as shown below.
Once you hit the Facebook Code Generator Edit link, you'll see a section open up like the screen below.
Because I had already set up my Facebook apps on my phone and logged in, the Code Generator was already enabled.
While we're on this part of the screen though, I'll point out that you can also set up additional forms of authentication by using clicking the "Setup another way" link, and if you do, you'll see a screen like the one below (except instead of the black box, there would be a QR code):
I've asked Facebook for a list of additional authentication tools, and if they provide it to me, I'll update that information here. Update: A Facebook rep tells me that Google Authenticator and Duo Mobile are also supported.
Okay, you're all set up. Time to authenticate. I'll take you through Android app, iPhone app, and text-based authentication. That should give you a pretty good understanding of it all.
Using Facebook Code Generator authentication
Oddly enough, even if you've set up second factor authentication, Facebook does not require that second factor when logging in through its mobile app. That's because Facebook built its authentication into its mobile app, which I consider a pretty serious mistake.
In any case, when you try to sign into Facebook via a Web browser and if you've properly set up authentication, you'll get a message like this:
This is when it's time to pull out your trust iPhone or Android device. Let's look at the iPhone first. Open your iPhone Facebook app, look for the little More hamburger icon button on the lower right of the screen (and yes, I did scroll through all my Facebook posts until I found a kitten picture for you).
Once you hit the More button, you will have to scroll down Facebook's menu. You can kind of guess how low a priority authentication is to Facebook by the fact that their Code Generator is waaay at the bottom of their menu.
In any case, hit it and you'll get a code (I'll show you what that looks like with the Android app since I didn't take any cute animal pictures on the Android side). Here's the Android menu. In this case, you select the hamburger icon in the upper left of the Android Facebook app, and again scroll waaay down to find the Code Generator option.
Once you tap the Code Generator button, you'll actually get a code screen. It looks like this:
I know the code changes every 30 seconds, but I'm not about to publish any authentication code, even one that expires. After Heartbleed, I'm not in a trusting mood.
Now that you've got your code, go back and enter it into the authentication screen I showed you before.
Using text message authentication
Let's wrap all this up by using our very hard-won text message-based authentication. Let's go back to the security code entry screen. This time, click the Having trouble link.
A set of additional authentication options will drop down, including the Send me a text message option. Click that and Facebook will send you a text with a security code.
If you're a Google Voice user, note that your text message may not show up as a notification and it may be in your phone's native messaging app, not the Google Voice messaging app that you usually use.
Enter the code sent to you, and you're done. You're in.
And there we are. This article took 39 images to take you through Facebook authentication. By any measure, the company needs to streamline and simplify the process. Good for you, though, for making sure you're protected. Feel free to share this article with anyone you think can benefit from having a safe Facebook browsing experience.