Unfortunately, Facebook (and Google) don’t make authentication particularly easy. And to make matters worse, both companies have the habit of changing their menu options to confound even those who have done it previously.
My recommendation is to use a web browser, rather than mobile apps, for these activities. This is because you’ll want the additional screen real estate and some of the options are more difficult to find in mobile apps.
Adding authenticators to your Facebook account
Start by clicking on your name in the upper right of the screen and go to the three horizontal dots next to the 'Edit Profile' box. Select 'Profile and Tagging Settings' then 'Security and Login' from the left-hand menu options. You should see a list of where you're currently logged in — if you don’t recognize the location or the operating systems listed, there's a three dot menu which you can select to log out of that session.
This is a good time to change your account password, and make sure you choose something unique, as Facebook says on the settings page.
The next section is where you set up your additional authentication factors. Facebook breaks this down into three subsections: one to enable 2FA, another where you can review devices that don’t require any login codes (you should check the 'View' option and then turn this feature off), and a section where you can enable your Facebook login credentials to login to particular apps. (I would also recommend not doing this.)
Click the 2FA 'Edit' button and you'll be asked to re-enter your Facebook password. You will have two options on the next screen. Once you turn on the 2FA option, you'll see the following screen:
The first method is adding a smartphone authenticator app, such as Google Authenticator, Duo, Authy, or any of the others. When selecting this method, you'll see a screen that displays a QR code — bring up the app on your phone, add a new login, and take a photo of the QR code to add Facebook to the list of places that can use this login method. When it's time to login, you'll bring up the app on your phone, locate the line for Facebook and enter the six-digit code that is displayed in the login box on your web browser. (The code changes every 30 seconds, so make sure you have the time to enter it correctly!)
The second option is to use a hardware security key, such as the Google Titan or one of the Yubico keys. You may wonder why anyone would go with this option over using an authenticator app. It's due to the fact that security keys are the absolute best security you can have for your account, but it does mean you have to carry around the physical key if you want to access your account from a new device. If you do go this route, I recommend getting at least two keys and keeping them in different locations (such as your car and your home). When enabling 2FA, choose to add a new key — you'll be prompted to insert it into your USB port and then press the button to transmit the key and register the device.
Below these options is another section where you can add your phone number as a backup method. Sadly, you can’t turn this off.
Earlier, I mentioned not having Facebook logins to any other places. If you go back to the main settings menu and scroll down to the 'Apps and Websites' section, you’ll see another series of options. You want to ensure that the 'Apps, Websites and Games' section is turned off. This will prevent you from playing any Facebook Gameroom games or sharing your Facebook comments on other websites. If this is a big deal for you, understand you are accepting some additional risks. If you have a lot of apps that are listed, you have to revoke their access individually.
Facebook also warns you that when you revoke access, you might have some residue of your data on the third-party site. However, it also provides some helpful information about when this site accessed your data and other details that can show you exactly what has been collected from the account.
Adding authenticators to your Google account
Let’s move on over to Google and start with this page on your Google Account. As with Facebook, you can see where you have been accessing your account by device and you can sign them out if you don’t recognize them. And like Facebook, you can also see the third-party apps that you have granted access to your data, where you can also remove them individually. You can click on the little 'i' button to get more details about when you granted access and what specific information that third-party is using.
At the bottom of this screen is a link to Google’s password manager, where you can see the stored passwords that Google uses to log you into other websites. You might want to delete these and just use your own password manager instead. I was surprised to find a bunch of websites and outdated logins (phew!), so I just deleted these sites. It just shows you how much stuff and how long (i.e. forever) that Google keeps track of. There are some other things that are shown on this page, which is useful if you want to explore other security tune-up options that Google has nicely provided.
But let’s continue to our final destination: setting up the authentication factors in the Account Security page. After you get to this link, scroll down to the 'Signing in to Google' section. There are three entries: when you last changed your account password, the two-step verification section, and the app passwords section.
Let’s pick the two-step, where you have to use your account password and you will be able to turn this option on. Next, add the various methods as we did with Facebook, including keys and the Google authenticator app. (Google doesn’t say it explicitly on this page, but it does support other authenticator apps. You just substitute the six-digit code from Authy or whomever. Authy has a more detailed set of instructions that you can use to set up any authenticator app.)
What about using Google and Facebook on your other devices?
So far, we've discussed setting up Google and Facebook on your computer using the web browser. What about when you want to use a phone or tablet and the native mobile app? In this case, you will still need to use an authenticator app or a hardware key to complete your login. If your phone has a USB port or the ability to read the key via an NFC connection, that's great. But if not, you will have to make use of another key or use the authenticator app.
As you can see, working through the various steps of setting up authentication takes a bit of time. Even so, having these additional authentications will give you the peace of mind knowing that your accounts are secure.