Facebook Will Mandate 2FA for High-Risk Users

Facebook Authentication

Facebook says its highest-risk users will soon need to start protecting their accounts with two-factor authentication (2FA).

According to several published reports on Thursday (Dec. 2), this change will — for now — apply to “high-risk” accounts: journalists, politicians, activists and others who are part of the Facebook Protect program.

“We aren’t currently planning on rolling it out to everyone, but we can slowly expand within the communities where it’s most critical — communities where people could be most targeted and where the consequences would be most significant,” said Nathaniel Gleicher, head of security policy for Meta, Facebook’s parent.

Facebook Protect began as a pilot before the 2018 U.S. midterm elections and expanded for the presidential election two years later. The platform enrolls some high-profile figures automatically, while also offering mechanisms that let users nominate themselves.

The program began a global rollout in September and is available in 12 countries outside the U.S., including India, the Philippines and Turkey, with more than 1.5 million people taking part, most of them setting up two-factor authentication.

Read more: Google to Start Requiring 2FA on Accounts

So far, only about 4% of Facebook’s monthly active users have adopted two-factor authentication, the platform said.

“Two-factor has historically been underutilized across the internet, even by people who are most targeted by malicious hackers, despite it being one of the best available protections against account compromise,” Gleicher said. “To help drive wider enrollment in 2FA, we all need to go beyond raising awareness or encouraging enrollment.”

At the same time, the company said it wants to make sure people can still access its platform, including places where users have limited access to smartphones or the internet. The announcement comes one month after Google said it would begin mandating 2FA for large sections of its users.

Google has more than 150 accounts, but the company said it’s only auto-enrolling users who use appropriate backup mechanisms, such as recovery emails or phone numbers that are able to receive SMS codes.