Meta recently changed how two-factor authentication works for Facebook and Instagram. You might have received a notification about this, but it was easy to miss in the platform’s sea of red alerts. OK, so what’s different? “Any devices you’ve frequently used Facebook on in the past two years will be automatically trusted,” reads Meta’s updated settings page. This means it’s automatically adjusted, unless you go into your settings and opt out.
Over the years, Meta has made multiple tweaks to how it deploys 2FA. In 2018, it started to allow 2FA codes generated by third-party apps. A few years later, the company began requiring more vulnerable accounts to activate 2FA protection. The company faces a tricky balance between making it easy to log in to your account and protecting users from losing control of their online identities.
Enabling 2FA is a basic way to improve the security of any online profile, since it adds an extra layer of difficulty for hackers trying to break into your account. “The role two-factor plays is, basically, to assume that at some point your password is going to be known by someone else,” says Casey Ellis, founder and chief strategy officer at Bugcrowd, a crowdsourced security company that has previously collaborated with Facebook. “You don’t have control over when or how that happens.” For users, this fallback measure is often as easy as copying and pasting a quick code from within a smartphone app, like Google Authenticator.
Anyone with a social media account on Facebook or Instagram needs to go ahead and turn on two-factor authentication in their privacy settings. No shame if you haven’t, but do it right now by logging in to your Account Center, clicking Password and security, then Two-factor authentication.
Now that you’ve got it all set up, here’s what recently changed with Meta’s 2FA process: It’s no longer activated anywhere you often used Facebook or Instagram in the past two years, from previous-generation smartphones to hand-me-down laptops.
What’s the reasoning for this adjustment? “As part of our continuous work to balance account security and accessibility, we’re letting people know that we’ll be treating the devices they frequently use to log in to Facebook as trusted,” says Erin McPike, a Meta spokesperson.
Want to activate a 2FA check for every device, even where you use Facebook or Instagram the most? Open the Account Center, then go to Password and security. You may need to enter your password after choosing Two-factor authentication and the account you want to adjust. Scroll all the way down to the Authorized logins section. After that, tap on Trust frequently used devices and Opt out.
You also have the option to granularly pick which devices won’t require a 2FA check. Go back to the Authorized logins section and choose Recognized devices. Here you’ll see every device where Meta won’t require a login code. You may be surprised by some of the old devices on the list. While the company claims it’s just for devices you used in the past two years, one option on my trusted list was an iPad accessed all the way back in 2013.
While it’s common for social media platforms to trust certain devices for users, and security measures beyond 2FA may continue to provide protection for your account, the automatic aspect makes experts uneasy. “My immediate security reaction is that it’s going to lock in long-term access to all of those logged-in things,” says Ellis. Any change that puts more onus on the user to protect their security opens up more opportunities for mistakes and potential breaches.
After you’ve revoked trust for all the random iPads you used forever ago, what else can you do to improve the security for your Meta accounts? Always use a new, complex password, first off. Also, make sure to wipe the data from your dusty smartphones and laptops with a factory reset before selling or otherwise getting rid of them.