Reading time: 20m
Facebook offers a lot of ways to connect to friends, and is a very successful tool for making new friends. However, sometimes this kind of openness leads to security and privacy issues, even if they aren’t your issues, it can very quickly become one.
Below is a guide that works as of August 2020 to lock down your Facebook and be confident that your best security posture is applied when browsing Facebook.
This article is separated into a few different sections, as there are several ways to access Facebook, and several ways that Facebook can access your profile on other websites.
This feature allows you to select a group of friends that can help you log back in if you get locked out.
It gives your friends security codes to give you over another medium, such that you can enter them to both verify your identity and grant you access to your account.
After you do this, go down to the Login settings on that page, and change your password:
I’d recommend changing your password using a password manager, e.g. 1Password, LastPass to ensure it’s randomized (meaning you can’t be forced to disclose it if you don’t know it). All you have to remember is a master password to unlock the others, and I would advise to re-prompt for master password when using your password-manager saved password.
Disable your browser’s built-in password manager! – https://support.1password.com/disable-browser-password-manager/
I would advise that you NOT use the “Save your login info” feature, unless the device you’re signing into Facebook with is exclusively under your control and physical access.
I cannot stress enough how important it is to use 2FA/MFA (2 Factor Authentication/Multi-factor Authentication)
Essentially, enabling this option means that not only do you have to know your email and password to login, but Facebook will enforce a 6-digit code which changes every 60 seconds to be input/copied from a device configured with e.g. Google Authenticator, Lastpass Authenticator. Once it’s enabled, you will not be able to login to facebook.com without it.
The direct page for the settings is https://www.facebook.com/security/2fac/settings/
For Backup authentication, I would recommend that you do NOT enable SMS, as SMS is vulnerable to Simjacking.
Security Key (U2F, e.g. YubiKey) and Recovery Codes (written) are a great idea to have enabled, as it’s something you must physically have in order to login. Recovery codes are better to be written on pen and paper, such that if your computer gets compromised, your recovery codes are not at risk.
Authorized Logins is useful if you don’t want to HAVE to login every time on e.g. a mobile device, so your device is pre-authorized. You can also use App Passwords to generate passwords which log you in but are not your actual password. Though not particularly recommended.
The above option sends you a Messenger, Facebook, and Email notification whenever a successful login is detected from a device you haven’t logged in with before, or in a location you haven’t logged in from before. Quite useful to have all notification options enabled.
Advanced – Signed/Encrypted emails from Facebook
Using this option is for expert users, which prefer to receive OpenPGP signed emails from Facebook. This means that you’ll need to import Facebook’s public key into your email program’s PGP keystore. In the text field, you would put YOUR OpenPGP PUBLIC key. Saving changes at this point will give others access to view your public key. Checking the box will mean that you must have Facebook’s public key imported as well as your OpenPGP public key saved there. Facebook will then sign/encrypt outgoing email notifications with Facebook’s and your public key, so that only an email program loaded with your PRIVATE key can read it, and the signature can be verified as coming from Facebook.
If OpenPGP is something that interests you, then you can read more about it here:
Your Facebook Information
This page contains the settings under the subheadings below, and is directly correlated with the visibility of specific information that you put on Facebook, otherwise it defaults to being Public, e.g. visible while not logged into Facebook.
OFA (Off-Facebook Activity)
The above URL will show you a list of websites that have shared your Facebook activity. It’s best not to “Clear History” as this will wipe out records of what you’ve used Facebook to log into. Instead, if there’s something you feel should no longer have associated with your Facebook account, then click on the item, and click the “Turn off future activity from [APP]”. The example below is from Pokemon GO, which requires that you log in via Facebook. If you don’t play it anymore, you should turn it off.
To set the future default for off-site activity, go to:
Then you can toggle the slider to the off setting. This may require that you log in every time manually when an app requires a Facebook login, and data should not be saved to your Facebook account if future activity is disabled.
This page controls the settings for your visibility, and visibility of specific things. In the interests of time, I have saved a default which should keep your profile hidden, and only visible to friends and friends of friends. It’s not perfect, but it’s a lot safer than having it public, where anyone can message you anything, and limits your exposure.
If your profile has been on Public since it’s birth, you should use the Limit Past Posts option to set a custom visibility policy. I’ll usually set this to Friends of Friends, or Friends, so that prior posts where visibility or privacy was not set will be limited to what you set here by default. You can still override this per-post at the time of making the post.
Your likes and public group associations will still be Public, there’s no way to hide that.
Apps & Websites
This page control what apps or games you’ve logged into Facebook with. This setting used to be called “Platform”. The “Apps, Websites and Games” option controls the global ability to login with Facebook outside of a Facebook context. If you don’t want to allow this, and you only want to have Facebook login used to login to Facebook, turn this option OFF.
On this page, under the Your Information accordion, you can disable/enable specific information from being shared with advertisers. Pretty simple to manage, so not a whole lot of explanation needed here.
This extension will remove specific ID tracking variables from URLs that are clicked on from Facebook as well as other websites. This helps to anonymize you while visiting links that are part of an ad campaign, e.g.
This extension sandboxes Facebook and facebook-clicked links from interfering with other tabs you have open, and is useful for ensuring isolation between regular sites and Facebook, such that your existing Facebook session is not available to websites configured to query Facebook for currently logged in user information.
- Log off of Facebook, and ensure you are FULLY logged out (remove recent login from the login page if it’s there).
- Ensure that when you login to Facebook that you see https:// in the URL bar. If you don’t see the lock and https:// DO NOT LOG IN.
- Never use email or unencrypted mediums to transmit your Facebook password or email, as this has the potential to give an attacker/hacker information about your account.
- Use an email that’s separate from your personal email, e.g. an email that’s for Facebook only.
- Don’t click on videos or strange looking links sent to you via Messenger, even from Trusted friends, and especially not from people you don’t know personally.
- Review your login history every once in a while, Settings > Security & Login > Where you’re logged in, to ensure that your prior logins are valid and from the correct type of device and location. If you see one you don’t recognize, it’s probably time to change your password.
- Don’t share your personal Facebook URL on other websites where the visibility is public, this will open you up to being spammed.
- If you receive a link that you’re unsure of, check the link using Facebook OG Debugger