Facebook Will Force More At-Risk Accounts to Use Two-Factor

For years, Facebook has given its users the option of protecting their accounts with two-factor authentication. Soon, the platform’s highest-risk users will no longer have a choice: The social network will require them to lock up their profiles with more than just a password. Good.

Facebook’s parent company, Meta, has required  since last year that advertising accounts and administrators of popular pages turn on two-factor. It’s not the only platform taking this step; in May, Google announced a move toward making two-factor authentication the default for all of its users. And while Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world.

“We aren’t planning currently on rolling it out to everyone, but we can slowly expand within the communities where it’s most critical—communities where people could be most targeted and where the consequences would be most significant,” Meta’s head of security policy, Nathaniel Gleicher, told reporters ahead of the announcement.

Facebook Protect started as a pilot project in the United States ahead of the 2018 midterm elections and expanded leading up to the 2020 presidential election. Facebook enrolls some prominent public figures in the program automatically, but the company has also been creating mechanisms for people to nominate themselves for inclusion, like enrolling whole newsrooms. Once users join Facebook Protect, they can’t opt out. 

Protect’s global rollout began in September, and Meta currently offers it in 12 countries, including India, the Philippines, and Turkey. The program has more than 1.5 million enrollees, including close to 950,000 who first enabled two-factor authentication as a result of the mandate. Gleicher says the company will offer Protect in 50 countries by the end of the year, with more to come in 2022, like Myanmar and Ethiopia. In addition to mandating two-factor authentication, Facebook Protect offers additional automated monitoring and scanning on enrolled accounts.

Though Google is the consumer tech company pursuing mandatory two-factor use most aggressively, others have taken smaller steps. Amazon’s Ring smart camera company mandated two-factor for its few million customers in early 2020 after a wave of break-ins on Ring accounts. And in 2018, Twitter debuted prompts to encourage candidates to turn on two-factor authentication. The social network said in July that only 2.3 percent of its users have enabled two-factor authentication.

Facebook revealed ahead of the announcement that only about 4 percent of Facebook’s monthly active users worldwide have adopted two-factor authentication.  

“Two-factor has historically been underutilized across the internet, even by people who are most targeted by malicious hackers, despite it being one of the best available protections against account compromise,” Gleicher said. “To help drive wider enrollment in 2FA we all need to go beyond raising awareness or encouraging enrollment. But we also have to make sure that people around the world, including in areas where people have limited or restricted access to the internet or smartphones, like large parts of the global south, can continue to access these platforms.”