We don’t want to give Facebook our phone number anymore, but we don’t want to lose the security of two-factor authentication. We explain how to remove the phone number from the social and how to activate 2FA with an external app.
After the scandal about the 533 million phone numbers and data stolen from Facebook and published on an online piracy forum, many users might be wondering how to remove their phone number from the world’s most famous social. Deleting this information now is like closing the barn after the horse has bolted, but not giving Facebook more data than necessary could prevent any loss of the same in the near future.
Some users may have enabled two-factor authentication via SMS as well, and deleting the phone number from their profile could create questions about maintaining this type of additional security. There are alternatives to SMS for authentication, so we can see together what they are by also starting with removing our phone number from our contact information forever.
For this guide, considering the number of accesses to social per device and since we are talking about phone numbers, we thought to focus on operations to be done via smartphone. However, the same operations can also be done from a computer; in this case, the windows and the settings screens will be different but will have the same informative text, so these instructions will be understandable for those who want to operate from a PC to delete their mobile number from the social and have a two-factor authentication without using SMS.
Yes, but what is two-factor authentication?
Two-factor authentication or 2FA (i.e., 2-Factor Authentication) is a system for verifying the identity of the user that involves not just one element, such as a password, but two. It is, therefore, a system that has greater security, because any attacker who in this case wanted to enter our Facebook account should know not only the password but also access the system used for the second control factor.
Usually, the second control factor is a numeric code sent via SMS. If, for example, we access Facebook for the first time from a computer or a device we have never used before, and we have two-factor authentication enabled, the social network will not only ask us for the profile password, but it will also send us a numerical control code via SMS to be entered after the password to make sure that whoever is accessing is the real user.
To receive this code via SMS, it is obvious that in the past we have given Facebook our phone number, even if only to activate 2FA.
Let’s take advantage of this guide to remind you that in 2020 the security company Digital Shadows advised against using 2FA via SMS. SIM-jacking (SMS hijacking), for example, is a type of attack that uses social-engineering methods to “convince” mobile network providers to transfer a victim’s mobile service to a new SIM card controlled by the attacker. Any 2FA codes will then be automatically directed to the cybercriminals and not to the user who owns the phone number.
How to delete a phone number from the personal information of Facebook profile
This part is the easiest, but it also serves as a way to get familiar with settings menus that you may have forgotten or, in the worst case, never seen.
From the main page of the Facebook app, touch the three horizontal lines at the bottom right in the iOS app and at the top right in the Android app: it’s the so-called “hamburger icon” because it looks like fast food. Then we scroll down the page and tap Settings – which is located under Settings and Privacy – and then Personal Information.
Within the Personal Information menu, if we tap Contact Information the app will show us a new screen where our phone number might be. If it’s not there, it means we’ve never entered it or we’ve already deleted it. If it is there instead, we can tap on it to proceed to delete it with the Remove button.
How to use two-factor authentication via an external app
Since we want to eliminate any reference to our phone number in Facebook, let’s then see how you can keep two-factor authentication active in Facebook without using SMS, so without the need to give the social a phone number, also because we just deleted our number from the information that the social has on our account.
As we have already seen, two-factor authentication is nothing more than an external element that adds up to the verification of the user’s identity by the application you want to access.
If the asset being accessed provides for it, a 2FA can also be a piece of paper with handwritten codes to be entered after the password and after being logged in from a new device. Facebook provides it too, but first, let’s see how you can have the 2FA active in Facebook by using an external verification app.
We then have to choose which external verification app to download. Among the most popular ones are those provided by Google and Microsoft. We chose the Google one because its initial use is a bit easier. It’s simply called Google Authenticator and exists for iOS and Android. If instead, you want to use Microsoft Authenticator, here are the links for the iOS and Android versions.
We then download and install Google Authenticator on our Android phone or iPhone, but don’t open it. Instead, let’s go back to opening the Facebook app.
We access the Settings menu again from the “hamburger icon,” but this time we open the Security and Login submenu.
Then we tap Use two-factor authentication and in the next window, we choose Authentication App as the security method. In the new window, we are shown the code to enter in the authentication app, but Google Authenticator makes our life easier. Instead, we choose directly Configure on the same device.
At this point, the Facebook app will automatically open the Google Authenticator app, which will ask us if we want to add the verification token tied to our Facebook account. The question we are asked will also indicate the unique username of our Facebook profile as it is known by social. We choose Yes. The token is then created and is shown in the next window of Google Authenticator.
The code connected to the token is a six-digit number under the Facebook name with our profile name next to it. On its right is a blue circle that gradually disappears as the seconds pass. It indicates the remaining time during which we are allowed to use that verification token. After that time has expired, a new code will be generated automatically by Google Authenticator.
We then copy the six-digit code or memorize it, go back to the Facebook app, and enter it into the field that is patiently waiting for it.
Two-factor authentication with an external app has thus been activated, we can tap Done. Now we are safer because even if someone manages to discover our Facebook password, to access our profile they will need the verification code that is produced only by the Google Authenticator app installed on our phone.
- Note: In the Android version of Google Authenticator the automatic switching between the first token setting and the return to the Facebook app may not happen.
- So proceed as follows:
- Completely close Facebook from in-memory apps
- Completely close Google Authenticator from in-memory apps
- Open Facebook
- Go to Settings/ Access Protection/ Use Two-Factor Authentication/ Choose Authentication App and then tap Continue
- Do not copy the long alphanumeric code and tap Configure directly on the same device
- Android may open Google Authenticator with the Get Started button to tap on.
- Tap the Get Started button
- A new window will appear saying “Create your first account”.
- You have to ignore it and go back with the arrow in the top left corner
- At this point Google Authenticator should have recognized the Facebook request anyway, making a window appear that says “Save code for Facebook (and Facebook profile name).
- Tap OK.
- A preview will be shown with the 6-digit code already working with the circle indicating the time duration. But now you need to tap ADD ACCOUNT under it.
- The Facebook token has now been permanently added to Google Authenticator. Copy it to memory by holding your finger long on it or memorize it in your mind.
- Go back to the Facebook app that remained open on the same screen as before but this time you will have to tap Configure manually
- You will be asked for the 6-digit code. Enter what you copied to the clipboard or what you memorized from Google Authenticator.
- You may be asked to enter your Facebook password again (it doesn’t always happen). In case you do enter it
- At this point, the two-factor authentication will be active and Facebook will give notice of it
So every time I want to log into Facebook, do I need the verification code in addition to the password?
No. The verification code in addition to the password, produced by the external authentication app, will only be needed if we decide to access Facebook for the first time from a new device or a new internet browser.
As for the other devices or browsers already used, once the new ones are “recognized” by Facebook as tools used by the user to access his profile, the verification code will no longer be required, even if we disconnect momentarily from the social network and then re-enter.
Is there another two-factor authentication system for Facebook?
Yes. In addition to an external physical security key, you can use a list of recovery codes generated by Facebook for the user’s profile. These six-digit codes can come in handy in case you can’t get access to the external authentication app.
Of course, this list of codes can only be accessed once you’ve accessed your profile, which wouldn’t be possible in case the social was just asking us for the verification code after the password.
So how to do it? Once you have activated the two-factor authentication as we have just explained, you can access the list of codes.
Simply go back to the Settings menu, then go to Security and Access, then to Use Two-Factor Authentication, from there tap Recovery Codes and Show Codes.
There will appear the list of recovery codes that can be copied. It can be a file external to the PC or smartphone, so even a USB stick or a simple printed or handwritten piece of paper.
Whenever one of these recovery codes is used, Facebook will check it off the list. When all of them are used up, you can request new ones by tapping Get New Codes.