Facebook users who want extra account security but don’t want to share their phone number with the company can now lock down their accounts with alternative two-factor authentication methods like code-generating apps, Facebook announced today.
Two-factor authentication helps protect users’ accounts from unauthorized access by requiring a code in addition to a password in order to log in. This helps a user prove their identity, even in circumstances where their password may be stolen by a hacker.
Facebook—and many other platforms—have traditionally relied on text messaging to send authentication codes to their users. But these codes can be intercepted if an attacker manages to take control of the user’s SIM and transfer it to a new phone. More secure two-factor authentication methods, like code-generator apps and hardware tokens, have become popular ways to address this problem.
In February, Facebook faced backlash from users who discovered that the phone number they’d provided for two-factor authentication was being used to spam them with texted notifications about their friends’ activity on Facebook.
Facebook said the text notifications were caused by an unintentional bug. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook’s chief security officer, Alex Stamos, wrote in a blog post.
Users resented having a security tool turned into an annoying engagement feature, but at the time, Facebook required users who didn’t want to provide a number for two-factor authentication to use both a code-generator app and a hardware token.
Now, that’s changing, Facebook says. The company will no longer require a phone number for two-factor authentication, and users can choose either an app or a hardware token for their second factor, rather than both.
“If we detect a suspicious login—for example, from a device you’ve never used before—we’ll always prompt you for the second factor. This code can be sent to your phone via SMS, or, if you choose to not provide a phone number, a third-party authentication app,” Facebook said in a blog post.