2fa_picAT first I wasn’t going to bother applying two-factor authentication for Facebook and Twitter. “After all,” I reasoned with myself, “they’re not as important as email accounts or online banking. If my accounts got hacked I’d just shut them down and start again.” But then, I mused, if the accounts were hacked the hacker might (a) write all sorts of nasty stuff pretending to be me (b) change the password and lock me out of the account so I couldn’t shut it down (c) knock me down, step in my face, slander my name all over the place, burn my house, steal my car, and drink my liquor from an old fruit jar.

Yet more forceful rumination led me to conclude that (a) and (b) were feasible and fairly undesirable but that, to my relief, (c) was just an extract from the lyrics of Blue Suede Shoes. Nevertheless, two-factor authentication (2FA) was indeed warranted.

Whereas Facebook would allow me to use an authenticator app (such as Authy), Twitter only seems to offer SMS-based 2FA. In earlier posts such as this I examined at mind-numbing length the potential weaknesses of using text messages to send authentication codes and explained why authenticator apps were more secure. I then proceeded to try one such app and decided I couldn’t deal with it. So although SMS-based 2FA is less than ideal, it’s still way safer than just relying on Ye Olde Username and Passworde Security Modele, so I went for it anyway.


For both Facebook and Twitter, logins on new devices will now require an authentication code, sent to my mobile via SMS. And both suggest that you keep a record of backup codes in case you ever lose or are otherwise unable to access your mobile. Facebook gives you 10 codes at once; Twitter only allows you to generate one at a time. In both instances, the information has been stored securely in my password manager.

For Facebook I also enabled a feature called Trusted Friends for good measure; this is designed to let Facebook contact people who know you and can verify your identity if you get locked out of your account. It’s probably overkill if you have the backup codes for 2FA, and as this article points out, if your “friends” aren’t actually that trustworthy, they could use the privileged status you’ve given them to hack your Facebook account!

That’s it, then. That’s my 2FA odyssey for now. There are one or two other accounts to look at, and maybe I’ll return to the authenticator app method one day. But, for now, I’m happy I’ve given myself a better chance of staying secure.

REMEMBER: There are bad guys out to get you in Internet-Land. Give yourself the best shot of thwarting them. Use strong passwords and apply 2FA where you can. Here endeth the lesson.

UPDATE 24/3/20

I just had to disable SMS-based 2FA for Facebook. I’d removed Facebook from my Android phone some time ago and decided I wanted to put it back. When I did so, it asked me to log in with my password, and then said it would send me an SMS with a verification code. It never arrived. I tried three times; no text messages. I know this has worked in the past because I still have the text messages, but today – nothing.

A quick search shows this is a common problem, with no obvious fix. I don’t like disabling 2FA on anything, having gone to the trouble of setting it up, but until I can research this some more it’s gonna have to stay switched off.