Last updated July 20, 2020
Facebook has detailed privacy settings that allow you to control your data security at a granular level. This comprehensive guide shows you how to configure your Facebook settings for maximum security, while still being able to enjoy your account.
Maximizing Your Facebook Security
Facebook wants you to have a seamless user experience. This requires a compromise between ease of use and your information security.
As a result, Facebook does not start your account’s security at the highest level.
It’s up to you to take control of your security settings to protect your Facebook account (and your identity). Facebook won’t do this for you.
Another thing to keep in mind: The more you lock down your privacy in Facebook, the less functionality you will have. If you really want to maximize your information security, you would just delete your Facebook account. But life without Facebook = no fun.
Our goal with this guide is to help you minimize any information security issues while still enjoying your Facebook experience.
So let’s get started…
General Facebook Account Settings
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > General
Here you can:
- Edit your Name
- Change your Username (nice if somebody is stalking or annoying you)
- Set yourself as a Primary Contact
- Create an Ad Account Contact (if you plan to run Facebook ads)
- Set your Identity Confirmation (used if you run Facebook ads on social issues, elections and politics)
There isn’t much else that affects your Facebook security.
(You could fake your identity but Facebook would probably catch you)
Let’s move along…
Facebook Security and Login
This section is extremely important for your Facebook account security. It’s where you create strong login credentials and add extra security layers to your account.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Security and Login
You can also set up an account recovery process here in case your Facebook account gets hacked or phished.
Where You’re Logged In
This section tracks the locations and devices where you’ve logged into Facebook. It also shows a recent history of logins.
Recommended: Scan through all the Facebook login records and look for suspicious locations. If somebody has gotten hold of your credentials and logged in from somewhere else, it should show up here. You can then click the elipsis on the right and select “Not You?” to report it as a suspicious login. Facebook will then block that location. (IMPORTANT: After doing this you should immediately change your password!)
Login Section
This is where you create a strong password and turn off the save login feature in Facebook.
Recommended: A strong password is the #1 Facebook account security step you can take. You should create a completely random long password of 16 characters with no recognizable words or number patterns. Then save it in a secure password manager.
How to change your Facebook Password to a strong password:
- Click Change Password > edit
- Enter your current password
- Enter a completely random new password with 16 characters such as $&y510b@P0*g64GF (NOTE: please don’t actually use this password!) and re-type the new password. Then save this new password in your password manager.
- Click “Save Changes”
Recommended: We suggest NOT saving your Facebook login info on any devices or browsers. If somebody gains access to your device, or it gets lost or stolen, they can get into your account settings and easily hijack your Facebook account.
How to turn off the save login feature in Facebook:
- Click save your login info > edit
- Click “Remove account” on any accounts that appear — this will force you to login each time you open your Facebook account on the selected browser or device.
Facebook Two-Factor Authentication (2FA)
Two-factor authentication is the #2 security step you can take to protect your Facebook account from hackers. We strongly encourage you to turn 2FA on. Dealing with the minor hassle of confirming your identity before logging in is much better than having your Facebook account hijacked.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Security and Login > Two-factor authentication
Setting Up Two-Factor Authentication in Facebook
- Go to Account > Settings & Privacy > Settings > Security and Login > Two-factor authentication
- Click Use two-factor authentication > Edit
- Select from Authentication App or Text Message (SMS)
Let’s compare your two options:
Text Message (SMS): This is the way to go if you you don’t want to set up another app. Just elect SMS text verification message and you will get an SMS message on your mobile with a time-based 2FA verification code. This is the quick and simple way to set up 2FA.
Authentication App: Facebook claims this method is more secure. It uses a secure third-party authenticator app to receive 2FA verification codes. It’s similar to SMS, but the verification message appears in a password-protected app (rather than your text screen). The app has an encrypted connection to Facebook that is more secure than SMS texts. Two popular apps for this are Google Authenticator and Duo Mobile.
When you set up two-factor authentication it will ask you to re-enter your password. Facebook will then send you a 6-digit verification code. Enter that into the screen to finish your 2FA setup.
After that Facebook will confirm that 2FA is set up. Click Done and you’re good.
Add a Backup 2FA Method on Facebook
We strongly advise setting up an additional Facebook 2FA method for maximum security. You will rarely need to use this. But helps to verify your account if you lose the mobile device where you normally receive verification codes.
Facebook will conveniently display the “Add a Backup Method” screen after you click “Done” on the initial 2FA setup process.
Here are Facebook’s three backup 2FA methods:
- Authentication App (see above)
- Security Key. This lets you use a USB or NFC device with embedded chip verification and face matching technology. NFC is a biometric facial recognition technology that some countries are adopting. This is probably too technical for most of us unless you’re James Bond. Facial recognition also opens up a bunch of potential issues with biometric security. We think this is overkill for most people.
- Recovery Codes. This is a simple and easy-to-use method, and we think it’s best for most people. Facebook will automatically generate a downloadable list of unique codes you can use to verify and recover your account if two-factor authentication isn’t available. Just download and save the file with unique name. (Do NOT call it “Facebook recovery codes”!)
Make a point to remember what the recovery codes file is for. We recommend uploading it to your online storage like Dropbox or Google Drive. Then delete it from your physical device.
How Two-Factor Authentication Works With Facebook Accounts
After you’ve got 2FA setup you will receive a time-based verification message by SMS or authentication app. Facebook will only send this verification message when you log into your Facebook account from an unknown device.
Basically, Facebook compares the device you’re logging in from with a list of authorized devices in your account. If Facebook matches the device with your list of authorized devices, then no 2FA verification code will be sent.
Facebook will not send the verification code to the same device the login is coming from. This prevents the situation where a thief gets hold of your mobile, tries to log into Facebook, and gets a 2FA verification message on the same device.
However, this also means if you lose your mobile device when you’re logged into Facebook and your screen hasn’t locked yet, then 2FA can’t help you. Anybody who picks up your mobile and gets past the device login screen will have free access to your Facebook app.
If you delete your browser history, or you delete and reinstall the Facebook app, Facebook will require you to verify your identity again with 2FA.
IMPORTANT: If you lose your mobile device it’s critical to report your account as compromised to Facebook’s security team. That way Facebook can shut down access to the app on your mobile and prevent it from being hijacked. To recover your account you will need to go through a separate verification process.
Managing Authorized Devices on Facebook
Facebook gives you the ability to specify devices where you are not required to login, and won’t receive a two-factor authentication challenge. If you “authorize” a device, then Facebook will not require login credentials or a 2FA verification code to access your account on that device.
Sound dangerous? It is.
Facebook actually prompts you to “authorize” all devices where you have successfully logged in, even after you’ve set up two-factor authentication.
Following the Facebook prompts actually creates a dangerous security vulnerability! Facebook favors a frictionless user experience over maximizing user security.
This is how it looks…
Think about it. What happens if you lose your mobile device or laptop and they get past the login screen? If that device is on Facebook’s “authorized” list, the thief can get into your Facebook account without logging in and take over.
To fix this you need de-authorize ALL devices on Facebook.
Yes, ALL of them.
Here’s how:
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Security and Login > Two-factor authentication > Authorized Logins > Edit
Select all devices on the list and click “Remove”.
Now, anybody (including you) will be required to pass two-factor authentication to log into your Facebook account on ALL devices.
Third Party App Passwords
This section applies if you use you Facebook login to access third-party apps and services like Skype, Zoom or Medium. You can ask Facebook to auto-generate separate passwords for each account here.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Security and Login > Two-factor authentication > App Passwords
The benefit of generating app-specific passwords is it reduces the potential for multiple accounts to be compromised if your Facebook account gets hacked.
The downside is it increases the number of passwords you must remember. People are really bad at remembering passwords. So you will need a third party password manager to store these extra credentials
NOTE: Generally, we advise against using Facebook as a single login provider (SSO) for multiple accounts. It reduces friction but creates a big security dependency. If your Facebook account gets hacked, or you get locked out for whatever reason, you can lose access to the other accounts you log into with Facebook.
Setting Up Extra Security on Facebook
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Security and Login > Setting Up Extra Security
Get Alerts About Unrecognized Logins
It’s a very good idea to set up alerts when anybody tries to log into your Facebook account from an unrecognized device.
This is the best way to get an early warning of someoby trying to hack your Facebook account.
Here’s how you set up unrecognized login alerts on Facebook:
- Go to Account > Settings & Privacy > Settings > Security and Login > Setting Up Extra Security
- Click Get alerts about unrecognized logins > Edit
- Select “Get Notifications” by Facebook Notifications, Messenger and Email
- Click Save Changes
Select Trusted Contacts To Recover Your Account
If your Facebook account gets hacked or you lose access and can’t recover it on your own, a good way to get it back is with Trusted Contacts.
Trusted Contacts are other Facebook users you assign to receive an account recovery request and a recovery code for you. Normally, you would call them first, tell them you got locked out of Facebook and they will receive a recovery code from Facebook.
Trusted Contacts serve as watchful intermediaries to prevent a hacker from impersonating you by sucessfully submitting an account recovery request in your name. Your Trusted Contacts need to verify it’s you making the request before you can get an account recovery code.
Here’s how you set up Trusted Contacts in Facebook:
- Go to Account > Settings & Privacy > Settings > Security and Login > Setting Up Extra Security
- Click Choose 3 to 5 friends to contact if you get locked out > Edit
- Click Choose friends
- Click Choose Trusted Contacts
- Enter at least 3 Facebook users you trust, such as your spouse, child or best friend
- Click Confirm
- Follow the instructions Facebook sends
Advanced Settings
The Advanced section has a few more security-related things you can dig into. The first two apply only in specific situations. The third really just applies when you’re researching an account hack.
Encrypted notification emails. This applies if you use OpenPGP to encrypt and decrypt your emails. Once you set it up only you can decrypt emails from Facebook.
Recover external accounts. This applies where you use Facebook single-sign on (SSO) to login to other apps or websites, you have set up separate passwords for those accounts through Facebook (see above), and you need to use your Facebook account to recover access those accounts.
See recent emails from Facebook. This let’s you see a log of your past Facebook emails. It could potentially be useful for investigating an account hack if the hacker changed the email address associated with your account to circumvent two-factor authentication.
Your Facebook Information
The Facebook Information section is where you can view and control the information Facebook has gathered about you. This includes personal data, images and activity. You can transfer or download your information. You can also deactivate and delete your Facebook account here.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Your Facebook Information
NOTE: Facebook describes how they use all this data in their Data Policy here (opens in a new window).
Viewing Your Information
To view your information click Access Your Information > View. Here you can delve into the various sections and see all the data Facebook collects on you. it’s a great way to identify areas you want to limit or turn off.
Downloading Your Information
Facebook allows you to download all or a selection of your data in HTML or JSON format. This is helpful if you plan to close your Facebook account, or you’re researching if somebody has gotten access to your account.
To start the download process click Download Your Information > View.
Reviewing your Activity Log
This lets you manually review your activity log, broken down by different categories of data. It could be helpful for researching Facebook account security issues, phishing messages, etc.
To review your Activity Log click Activity Log > View.
Controlling Your Off-Facebook Activity Data
Off-Facebook Activity is data about your behavior on other websites or apps. When you visit their site or app, you are “pixeled” using Facebook tracking code that contains information about the site content and how you interacted with it. This data is then sent to Facebook.
The purpose Off-Facebook Activity data is to enable retargeting ads and personalizing / controlling the content you see on Facebook. For example…
Off-Facebook Activity data is one of the most sensitive types of data Facebook gathers about you. It lets Facebook and third parties “profile” you based on your Internet activity. Facebook compiles the data and creates an extensive “digital dossier” on you. Facebook and their advertisers use this information to serve you ads (make money), understand your political affiliations, control your newsfeed and influence what you see on Facebook and elsewhere.
It’s imperative that you control how Facebook collects and uses your Off-Facebook Activity data. Off-Facebook Activity data is very powerful and very personal data. If you are concerned about your security, freedom and identity we strongly recommend minimizing the settings here.
To stop Facebook from collecting and tracking your Off-Facebook Activity data here’s what you need to do:
Step 1: Clear your history. Click Clear History > Clear History. This will delete all the old data Facebook has saved. It won’t stop new data from being collected, however.
NOTE: You can also clear your history by clicking Manage History > Clear.
Step 2: Turn off your Off-Facebook Activity. Click Manage Future Activity > Manage Future Activity > Toggle Future Off-Facebook Activity to OFF > then Click the Turn Off button on the next screen.
As shown in the screenshot above, there are a few things to keep in mind before you do this:
- It takes up to 48 hours to turn off, so you may need to go back in and delete some history afterward
- You will still get “pixeled” on third-party sites and apps. Facebook will use this data but won’t associate the activity with you any more.
- You will no longer be able to use Facebook single sign-on (SSO) for third party apps and websites.
- You will still get ads, but they will only be tailored to you based on your activity on Facebook, not off-Facebook.
Managing Your Information
This section of Facebook’s settings lets you change your privacy and security configuration in many critical areas. These include
- Face Recognition settings
- Ad preferences
- Privacy settings
- Security and login settings
- Deleting somethign you posted
- Tag settings and removing tags
- Facebook vs. Instagram settings
- etc.
To get started click Managing your information > View > select Facebook > select I want to manage my data
When you select from any of the options Facebook will take you to a separate page or section of the Settings & Privacy area. You can then explore or change your settings from there.
NOTE: Ignore the left side menu for now. Those settings are for enabling different Facebook features and apps.
Deactivation and Deletion
This is where you can disable or delete your Facebook account.
Deleting is self-explanatory and you will lose access to all your Facebook data.
Deactivation is temporary — it’s a good idea if you plan to travel overseas or suspect somebody is stalking or phishing you (or you simply need a Facebook time out!).
When you deactivate your account you can choose your reason. You can also choose to deactivate any Facebook pages you manage. If you want to deactivate Facebook Messenger, you need to specifically select that, as well.
Facebook Privacy Settings
The Privacy area lets you carefully control your privacy on Facebook, including who can see you, invite you, tag you, and many other things. It’s critical to lock your Privacy settings down to reduce the possibility of getting phished, impersonated, or profiled.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Privacy
This section is great for adjusting your post, friend requests, tags, and profile lookup access settings.
Here’s how you should set each option to maximize your security and privacy:
Your Activity
| Who can see your future posts? | Friends |
| Limit the audience for posts you’ve shared with friends of freinds or Public? | (NOTE: use only if you want to hide a specific old post or posts – this is very manual intensive) |
How People Find and Contact You
| Who can send you friend requests? | Friends of friends |
| Who can see your friends list? | Friends (NOTE: This reduces phishing attempts. Only Me may be too restrictive) |
| Who can look you up using the email address you provided? | Only me |
| Who can look you up using the phone number you provided? | Only me |
| Do you want search engines outside of Facebook to link to your profile? | No |
Timeline and Tagging
How your timeline posts are displayed and shared can significantly affect your Facebook security. Two critical things to remember here:
- Always limit who can see your posts to people you trust.
- Never allow yourself to be tagged. This makes it easy to find photos of you in order to impersonate you.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Timeline and Tagging
Here’s how you should set each option to maximize your security and privacy:
Timeline
| Who can post on your timeline? | Only Me |
| Who can see what others post on your timeline? | Friends |
| Allow others to share your posts to their stories? | Off |
| Hide comments containing certain words from your timeline. | Off |
Tagging
| Who can see posts you’re tagged in on your timeline? | Only Me |
| When you’re tagged in a post, who do you want to add to the audience of the post if they can’t already see it? | Only Me |
Review
| Edit Review posts you’re tagged in before the post appears on your timeline? | On |
| Review what other people see on your timeline. | View As |
| Review tags people add to your posts before the tags appear on Facebook? | On |
Stories
Stories are a relatively new feature on Facebook. So it’s likely that you have’t reviewed these privacy settings yet. Naturally, Facebook doesn’t default to the highest privacy setting. So here’s how you should set it:
| Allow others to share your public stories to their own story? | Don’t Allow |
| Allow people to share your stories if you mention them? | Don’t Allow |
Location
Unless you turn this setting off Facebook will compile and keep a highly detailed pinpoint log of your mobile device’s location at all times. This setting interacts with the location settings of your device, so you need to manage them together.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Location
Facebook uses location data constantly to personalize content and ads on your feed. Do you really want Facebook to know you’re on vacation and won’t be back home for two weeks? Yes, their AI can easily figure that out.
It’s important to note that even if you have your mobile device’s location tracking turned off, Facebook can still track your location (albeit at a less granular level) through the IP address of the network points where you access the Internet. It’s very difficult to prevent Facebook (or any app for that matter) from gathering at least some location data about you.
You should turn off Location History:
Location History
| Turn on Location History for your mobile devices? | Don’t Allow |
Blocking
Blocking is an essential feature of controlling your privacy and security on Facebook. It’s an additional layer of privacy beyond unfriending somebody. You should use it liberally.
Here you restrict or block other users from contacting you, becoming a friend, seeing what you post or seeing what you post to mutual friends’ timelines. You can also block apps, pages and invites.
You can also block exes, spammers, stalkers and annoying trolls.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Blocking
Manage Blocking
Here’s how we suggest setting up your blocking settings:
- Restricted list. Add users to a restricted list so they won’t see posts on Facebook that you share only to Friends. They may still see things you share to the Public or on a mutual friend’s timeline, and posts they’re tagged in.
- Block users. Blocked users can no longer see things you post on your timeline, tag you, invite you to events or groups, start a conversation with you, or add you as a friend. However, this does not include apps, games, or groups you both participate in.
- Block messages. You can block messages and video calls from someone here. This also blocks the Messenger app.
- Block app invites. Blocking app invites from someone will automatically ignore their future app requests. Click the “Ignore All Invites From This Friend” link under your latest request to block the invites from a specific friend.
- Block event invites. Blocking event invites from someone will automatically ignore their future event requests.
- Block group invites. If you block a person, you won’t receive any more group invites from them. They won’t be notified of this.
- Block groups. If you block a group, you won’t receive any more invites to join that group.
- Block apps. Once you block an app, it can no longer contact you or get non-public information about you through Facebook.
- Block Pages. A blocked page can no longer interact with your posts or your comments. You’ll also not be able to post to that page’s Timeline or message the Page. Any likes or follows of blocked pages will be removed.
NOTE: Blocking works in conjunction with your other security settings. Unless you block somebody, they may still be able to post garbage on your timeline, comment on your posts, tag you and message you. So blocking is a catch-all protection in case you forgot to update your other settings.
Face Recognition Settings
Facebook’s AI engine can instantly recognize you in photos and videos. We strongly suggest turning this off!
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Face Recognition Settings
Face Recognition
| Do you want Facebook to be able to recognize you in photos and videos? | No |
Notifications Settings
Notifications and where you receive them are generally about how interactive you want to be and how much you want to be engaged with Facebook throughout your day.
Generally speaking desktop and app notifications are more secure than SMS and email notifications. Beyond that, your preferences should drive your decision here.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Notifications
Mobile
The Mobile Settings section lets you set up and confirm your mobile number. If you set up two-factor authentication you likely already have your mobile number in here.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Mobile
If you ever lose your phone you can also report it lost here. That’s essential to block the Facebook app on that mobile device, and prevent the device from receiving Facebook login 2FA verification messages.
You can also add another backup mobile number by clicking the + Add another mobile phone number link. This can be yours or a friend/family member.
Public Posts
in the Public Post Filters and Tools section there are some more settings you can lock down to increase your privacy and security.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Public Posts
Here’s how you should set up your Facebook Public settings to increase your privacy and security:
| Who Can Follow Me | Friends |
| Public Post Comments | Friends |
| Public Post Notifications | Nobody |
| Public Profile Info | Friends |
| Comment Ranking | Off |
| Username | NOTE: For max security you should not use your real name for your username |
Apps and Websites
This section allows you to manage all the sites and apps where you use Facebook single sign-on (SSO) to login.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Apps and Websites
The top section shows the currently authorized apps, games and sites.
The bottom section allows you to manage the data and security sharing settings for each app, website or game. You can also specify whether an app can send you notifiications and who can use the app.
NOTE: Expired and removed apps may still have access to information that was previously shared with them, but can’t receive additional non-public information. Removed apps should have a link to their privacy policy that you can follow.
Business Integrations
The Business Integrations section shows third-party apps and sites that you’ve grante access to post or otherwise manage your Facebook account or Facebook pages.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Business Integrations
Your Ad Preferences
Your Ad Preferences can be controlled in the Ads section. Here you can review how Facebook has profiled you based on your activity and is using that information to serve you relevant ads.
Generally, the more you allow here, the more relevant the ads you see on and off Facebook will be to you. You cannot turn off ads on Facebook. If you reduce these ad personalization settings then Facebook will not be able to profile you accurately, but you will still see ads.
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Ads
You can explore and make changes to the following sections:
- Your Interests
- Advertisers and Businesses
- Your Information
- Ad Settings
- Hide Ad Topics
- How Facebook ads work (this is a good read if you’re interested)
Safety Center
https://www.facebook.com/safety
The Facebook Safety Center has further resources on keeping your account private and secure. This includes:
- Privacy Checkup
- Security Checkup
- Parents Portal (opens in new tab)
- Youth Portal (opens in new tab)
Click Account (upper right drop down arrow) > Settings & Privacy > Settings > Support Inbox > Safety Center
Privacy Checkup
Now that you’ve configured all your privacy settings, you can do a Privacy Checkup and Facebook will tell you wwhat information it’s sharing with others in a clear and easy-to-understand way.
To run a Privacy Checkup go to https://www.facebook.com/privacy/checkup/ (opens in new tab).
Security Checkup
The final step to see if your Facebook security settings are at maximum security levels is to do a Security Checkup on your account.
You can do this by clicking Security Checkup from the Safety Center above, or going directly to https://www.facebook.com/help/799880743466869/ and clicking “Start Security Checkup”.
If everything is OK and you’ve followed our Facebook security settings instructions above, you should see a success screen like this.
We hope this article has helped strengthen the security and privacy of your Facebook account.
For more information about Twitter security issues, see our posts Is Twitter Secure?
