How to enable Facebook's hardware key authentication for iOS and Android

How to enable Facebook’s hardware key authentication for iOS and Android

Since 2017 desktop users have had the opportunity to use physical security keys to log in to their Facebook accounts. Now iOS and Android users have the same option too. Physical security keys are a more secure option for two-factor authentication (2FA) than SMS (which is vulnerable to SIM swap attacks and phishing), and apps that generate codes or push notifications (which are also vulnerable to phishing).

Two-factor authentication (2FA)

2FA is the least complex version of multi-factor authorization (MFA) and was invented to add an extra layer of security to the—now considered old-fashioned and insecure—simple login procedure of using a username and password. By definition, 2FA depends on two different methods of identifying a user.

Authentication factors are commonly divided into three groups:

  • Something you know, such as a password.
  • Something you have, such as a code sent by SMS, or a hardware key.
  • Something you are, such as your face or fingerprints.

Different 2FA schemes typically rely on users providing a password and one of the other factors. If you are an Android or iOS user, Facebook will now let you authenticate yourself with a password (something you know) and a hardware security key (something you have).

Hardware security keys

Hardware keys, also known as physical security keys, connect to your device via USB-A, USB-C, Lightning, NFC, or Bluetooth, and are portable enough to be carried on a keychain.

Most of them use an open authentication standard, called FIDO U2F. U2F enables internet users to securely access any number of online services with one single security key, with no drivers or client software needed. 

FIDO2 is the latest generation of the U2F protocol and it allows devices other than hardware keys, such as fingerprint sensors or laptops and phones with face recognition, to act as hardware keys.

How do security keys work?

You can use a hardware security key for as many accounts as you like. Once the key has been set up to work with a service, logging in is as simple as inserting the security key into your device (or wirelessly connecting it) and pressing a button on the key itself.

Behind the scenes, the security key is presented with a challenge by your web browser or app. It then cryptographically signs the challenge, verifying your identity.

Setting up Facebook for physical security keys

To add a physical security key as a 2FA factor for Facebook, open Facebook on your device and open the menu.

In the Menu click on Settings under Settings and Privacy.


You will see the Account Settings menu. Click on Security and Login under Security.

security and login

You will see the Security and Login menu. Click on Use two-factor authentication under Two-Factor Authentication.

Two-Factor Authentication

In the Two-Factor Authentication menu select the Security Key option and click on Continue.

security keys

From there, follow the instructions that are device and key-specific to add your security key as an extra factor of authentication.

Privacy and security

Imagine all the information an attacker might find out about you if they should get hold of your Facebook credentials. It’s not just all your public, and private posts, but your Messenger conversations as well. The first thing a successful attacker will do is enable 2FA to lock you out. So get ahead in the game and enable it yourself. Any 2FA is better than none, but a security key is the most secure form of 2FA.

2FA enabled

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.