Jefferson Graham, USA TODAY Published 7:41 p.m. ET Feb. 16, 2018 | Updated 10:14 p.m. ET Feb. 16, 2018
Facebook is one of the progressive security sites that offers and supports U2F, and does it very well. I don't use FB (very little anyway) but my spouse does. I setup U2F on her account so that only her specific device OR a U2F credential pass allows a sign in to the account. Even without the screw up on FB's end with texts, U2F is light years more secure and easier. That would be my recommended solution since the site is so advanced and supports the newest authentication! We already own multiple "encrypted chips" so there was no additional cost for the better security. Bonus: nobody can send "ads" to an encrypted chip, LOL!
@Palancar - one trouble with the relatively few sites that support U2F (I neither know nor care about FB), is that they also "demand" the phone number, nominally for SMS account recovery (in fact, to identify you). However, this of itself can destroy much of the good protection that you had with U2F to start with. The trouble is, secure account recovery is quite hard when you have to cater for most peoples' record-keeping abilities and inclinations. My personal preference would be a secondary registered TOTP Authenticator recovery, because you can keep & replicate non-dongle based copies of the secrets, which you cannot with U2F.
Let me use my REAL NAME Gmail Acct as an example. It is full U2F, and my defined backup (for a lost/broken chip) is a "code list" kept in a safe place. Of course that "code list" was generated by Google's server for me as account holder. Without one of those I would be dead in the water! The code list is completely printed out and not on a hard disk anywhere in my house or on my mobile device. While Google has my phone number it is of no value in resetting my account, in theory. Also, if someone attempts to log in from a foreign device without U2F I get a text within seconds. I feel completely safe and secure. I do admit I would never use the same process for a pseudo name such as Palancar. Since almost all of the traffic on that Gmail account contains numerous links to my real name there would be no point in trying to anonymize who the email account holder really is --- ME. The same would be true for my wife's FB account and that U2F process.
@Palancar - I think your setup is good, the way you've chosen to configure the options. From what I've seen, Google is one of the few that has a sufficient suite of options on this - possibly because they've been taking their own medicine. I like the printed OTP as a backup. That's OK.
Facebook’s new two-factor authentication process no longer requires a phone number You can use an authenticator app instead May 23, 2018 https://www.theverge.com/2018/5/23/...actor-authentication-process-app-phone-number