Facebook is making two-factor mandatory for high-risk accounts

Facebook, a recently added subsidiary of Meta, said it will make two-factor authentication (2FA) mandatory for high-risk accounts likely to be targeted by malicious hackers.

The move is part of a major expansion of Facebook Protect, the social networking giant’s enhanced security program that’s intended to protect the accounts of people who may be at particular risk, like human rights defenders, journalists and government officials. The initiative helps these accounts adopt stronger security protections by simplifying security features — including 2FA — and providing additional security protections for accounts and Pages, including monitoring for potential hacking threats.

The program was piloted in 2018 and expanded ahead of the 2020 U.S. election in a bid to try and stop abuse and election interference from spreading on the platform. It’s now enabled on more than 1.5 million accounts, according to Facebook, and is expanding to more than 50 countries by the end of the year, including the U.S., India and Portugal. The company is planning a further expansion in 2022.

Of the 1.5 million accounts already enrolled in Facebook Protect, almost 950,000 have 2FA enabled, a feature that Facebook said has been “historically underutilized across the internet.” Facebook says it wants this feature to be used by all high-risk accounts, and is making it compulsory.

This means if a user identified by Facebook as high-risk does not enable 2FA once a set period has expired, they won’t be able to access their accounts. The company said users won’t permanently lose access to their accounts, but will need to enable 2FA in order to regain access.

“2FA is such a core component of any user’s online defense, so we want to make this as easy as possible,” said Nathaniel Gleicher, head of Security Policy at Facebook. “To help drive wider enrollment of 2FA, we need to go beyond raising awareness or encouraging enrollment. This is a community of people that sit at very critical points in public debate and are highly targeted, so for their own protection, they probably should be enabling 2FA.”

Gleicher added that, in early testing, mandating Facebook Protect saw more than 90% of high-risk users enroll in 2FA.

In order to balance the protection the tool provides against the potential consequences — such as critical voices being locked out of their accounts — 2FA will first be required in places Facebook “has the necessary resources in place to smoothly expand,” such as the Philippines and Turkey. The company will also focus on regions where an upcoming election could create an important civic moment.

Facebook says that while its own figures show that less than 4% of its global monthly active user base has not enrolled in 2FA, it currently has “no plans” to mandate the feature for all accounts.