Facebook Now Supports Passkeys, and You Should Probably Use Them

If you've had a Facebook for long enough, you probably know people who have had their accounts "hacked." Maybe this happened to your own account—one minute, you're minding your own business, the next, your friends and family send you texts asking, "Why did you send me this?" and "Were you hacked?"

See, your Facebook wasn't "hacked," so much as it was "accessed." Someone figured out your password, either by guessing it, tricking you into sending it, or through a data breach, and logged in on your behalf. If you had two-factor authentication (2FA) set up, the chances of this happening would have been much lower, but not impossible. That's where passkeys come in.

Facebook and passkeys

Good news: Facebook now supports passkeys. Meta announced the news in a blog post on Wednesday, saying the authentication method will roll out to iOS and Android devices "soon," while Messenger will get the feature "in the coming months." For what it's worth, I see the option to create passkeys now on the iOS Facebook app.

Meta seems pretty excited about the news—and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.

Typically, Meta is near the bottom of my list when it comes to companies that care about user privacy and security. But passkey adoption is a good thing for Facebook accounts everywhere. In fact, when you have the chance, you should probably set one up.

Why use a passkey

Passkeys combine the convenience of a password with the security of 2FA. Unlike passwords, you don't choose a series of words, characters, or numbers to enter each time you want to log into your account. Instead, you set up a passkey with your device itself, like your smartphone. When you need to authenticate yourself, you do so on your device, through a face scan, fingerprint scan, or PIN. Your device then confirms your identity with the account holder in question, which then lets you into your account.

Since there's no password or phrase, passkeys are effectively phishing-proof: Hackers can't trick you into sharing your password with them, since there's nothing to share, and you won't need to worry about Meta losing your passkeys in a data breach. 2FA can also prevent bad actors from breaking into your account if they know your password, but even 2FA is susceptible to phishing. Since most 2FA uses a numeric code, hackers may convince you to send the code to them. Without the device tied to the passkey, however, hackers are out of luck.

Once properly set up, logging into your accounts is as easy as a face scan or a quick PIN entry on your phone—simple, yet secure.

Meta (specifically Facebook in this case) is far from the only platform to offer passkeys. Companies including Apple, Google, Microsoft, and even X have been adopting the security measure over the past couple years. In fact, Microsoft now makes passkeys the default authentication option when setting up a new account.

How to set up a passkey for Facebook

Once support for passkeys rolls out to your Facebook app, you'll find your settings in Account Center. You can pull this up in the Menu tab, by tapping the down arrow next to your name and choosing "Go to Accounts Center."

In Account Center, choose "Password and security," then tap "Passkey." From here, tap "Create passkey." Tap "Create passkey" on the pop-up, then enter your current Facebook password. Your device will invite you to confirm passkey creation (on iPhone, for example, you can use Face ID to finish setting up the passkey).

All that said, creating a passkey won't delete your Facebook password. It still exists, as Meta relies on it for signing into Facebook on other devices. (Some companies have alternative methods to ensure that you can sign in without needing the original device that created the passkey.) As such, make sure that your Facebook password is strong and unique (do not use the same password for Facebook as any of your other accounts), and set up 2FA for the times you ever do use a password. (Avoid SMS-based 2FA if you can.)