Facebook no longer requires phone numbers for multi-factor authentication

The social media giant delivers another blow to the use of SMS for authentication purposes.
Facebook multi-factor authentication

Facebook updated its multi-factor authentication options on Tuesday, no longer requiring a phone number to use the service to sign into the company’s platform.

Product manager Scott Dickens laid out the changes in a Wednesday blog post saying that “third-party authentication apps like Google Authenticator and Duo Security” are now easier to use. Those apps offer more security than phone numbers, due to the fact that SMS messages tied to phone numbers can be hijacked.

Facebook has also long offered security keys like YubiKey as a multi-factor authentication option.

The option to remove phone numbers is significant for several reasons. First, SMS messages are considered an insecure authentication method by authorities, including the National Institute of Standards and Technology.


Facebook has also run into some issues regarding SMS in the past few months. A bug allowed for the platform to spam users with updates via SMS, which drove users to complain on Twitter about the issues. The bug isn’t just annoying or invasive, it may actively discourage good security practices.

Facebook Chief Security Officer Alex Stamos apologized for the bug in February.

While upgrades in multi-factor authentication options are good, most users aren’t aware of the practice. Earlier this year, Google said that less than 10 percent of users turned on multi-factor authentication.

Users can view their authentication options on Facebook’s settings page.

Latest Podcasts