After receiving a legitimate email notification about a bogus, failed password reset attempt using my Facebook login I decided to go have a look at my account settings. Considering that I detest Facebook and have not logged in in nearly 6 months, I thought that it was a good idea to check through all of the settings and see what new privacy invading settings that Facebook has decided to add lately -- so that they can be disabled of course.
While in the security settings, I realized that Facebook now has the option for 2FA and even seems to offer many choices for the user. Being the user of a TOTP smartphone app for 2FA on many of my online accounts, I decided to go ahead and enable it for Facebook. So, as normal when enabling 2FA for any website, I chose to generate recovery codes and store them in my password manager first. Then, I went into the "Code Generator" section that allows setting up a TOTP smartphone app, scanned the QR code on my phone, confirmed the current code validated, and then clicked the "confirm" button assuming that 2FA would then be enabled on my account. But, you would be wrong about that! After seeing that the "Use two-factor authentication" section still did not show the blue "ON" indicator, I then clicked the "Set Up" link provided next to the "Two-factor authentication is off" status assuming that I must need to do one more thing to finish enabling it.
Well, what I found at that point is the following pop-up message: "Set Up Two-Factor Authentication?
You must add either a phone or both security key and code generator in order to turn on two-factor authentication." After some web searches I discovered that indeed, Facebook does not actually understand how 2FA is supposed to work. Instead, to even enable 2FA, Facebook is requiring a "third factor" that can either be the use of a USB hardware key, or, get this, your phone number for an SMS message. There are two huge problems with this requirement. First, every security-conscious person understands that using SMS in any way for 2FA is a really horrible idea. I mean why even have the ability to set up a TOTP application when an SMS message can be used to override that security? And secondly, requiring the user to set up SMS requires adding your cell phone number to your profile (which I refuse to do). It seems that Facebook is only concerned with helping you improve your login security if you are willing to trade your phone number for it.
Lastly, don't go out and Google "2FA Facebook" and then tell me that I'm wrong. All of the search results that I found are years out of date and no longer apply. The few posts that I found that were current confirm that a phone number and SMS is required when using a TOTP app for 2FA in Facebook. In addition, for those looking for a workaround, removing the phone number after enabling 2FA also disables it again.
Every time I think that I can't hate Facebook more, I find another reason.
While in the security settings, I realized that Facebook now has the option for 2FA and even seems to offer many choices for the user. Being the user of a TOTP smartphone app for 2FA on many of my online accounts, I decided to go ahead and enable it for Facebook. So, as normal when enabling 2FA for any website, I chose to generate recovery codes and store them in my password manager first. Then, I went into the "Code Generator" section that allows setting up a TOTP smartphone app, scanned the QR code on my phone, confirmed the current code validated, and then clicked the "confirm" button assuming that 2FA would then be enabled on my account. But, you would be wrong about that! After seeing that the "Use two-factor authentication" section still did not show the blue "ON" indicator, I then clicked the "Set Up" link provided next to the "Two-factor authentication is off" status assuming that I must need to do one more thing to finish enabling it.
Well, what I found at that point is the following pop-up message: "Set Up Two-Factor Authentication?
You must add either a phone or both security key and code generator in order to turn on two-factor authentication." After some web searches I discovered that indeed, Facebook does not actually understand how 2FA is supposed to work. Instead, to even enable 2FA, Facebook is requiring a "third factor" that can either be the use of a USB hardware key, or, get this, your phone number for an SMS message. There are two huge problems with this requirement. First, every security-conscious person understands that using SMS in any way for 2FA is a really horrible idea. I mean why even have the ability to set up a TOTP application when an SMS message can be used to override that security? And secondly, requiring the user to set up SMS requires adding your cell phone number to your profile (which I refuse to do). It seems that Facebook is only concerned with helping you improve your login security if you are willing to trade your phone number for it.
Lastly, don't go out and Google "2FA Facebook" and then tell me that I'm wrong. All of the search results that I found are years out of date and no longer apply. The few posts that I found that were current confirm that a phone number and SMS is required when using a TOTP app for 2FA in Facebook. In addition, for those looking for a workaround, removing the phone number after enabling 2FA also disables it again.
Every time I think that I can't hate Facebook more, I find another reason.
