Meta, formerly known as Facebook, is retiring its Code Generator authentication element as part of a broader update to its user security settings.
The Code Generator feature allows users to log in on another device by using a code generated by their phone, but according to Meta’s Head of Security Policy, Nathan Gleicher, the feature is vulnerable to attacks and was created before push notifications became widely adopted in the industry.
The new update aims to provide more robust forms of two-factor authentication and help avoid redundancies that can introduce security risks.
“Our in-app code generator was created before push notifications became widely adopted in our industry as a way to authenticate user sessions. We’re sunsetting the older approach to move the small portion of people who may still use it to more robust ones. It helps avoid redundancies (which can introduce their own security risks), so we’re following best practices to consolidate.”
The update is likely to have a minimal impact, as only a small portion of Facebook users still use the Code Generator feature.
However, those who rely on it will need to switch to other forms of two-factor authentication, such as Google Authenticator, security keys, or Meta’s upcoming verification method that uses missed calls to authenticate user sessions.
Twitter is also moving away from SMS-based two-factor authentication to reduce telecommunications charges, and Meta is likely to follow suit by guiding users toward more cost-effective authentication methods. However, SMS-based two-factor authentication will still be available on Meta for the time being, and there are no plans to make it a Meta-verified exclusive.
The retirement of the Code Generator feature is part of Meta’s ongoing efforts to enhance user security and consolidate best practices. As a result, users are encouraged to keep their security settings up to date and take advantage of the latest authentication methods available to them.