Best practices for making a business portfolio more secure

To help keep your business portfolio secure and protect your business and accounts from bad actors or unauthorized activity, follow these best practices and recommendations.

If you have full control of the business portfolio, you can go to the Security Center to see if you’ve been urged to take action on any of the following security improvements. You can also track the progress of completing these recommended tasks.

Remove inactive users

Bad actors often target inactive accounts in an effort to gain access to a business portfolio. Remove people who haven't logged into the portfolio within the past 90 days, especially those with full control of the portfolio. Learn more about how to remove people from your business portfolio.

Close or remove inactive ad accounts

Bad actors are more likely to target ad accounts that haven’t run ads within the last year. Close or remove ad accounts you no longer need. Note: Ad accounts can’t be deleted from the portfolio. Learn more about how to close an ad account that's in a business portfolio.

Remove users without two-factor authentication

People who don’t have two-factor authentication set up pose a security risk. Remove them from the portfolio until they have set it up using their Facebook account.

Remove users with public email domains

Bad actors often use public email domains to create email addresses anyone can get in order to gain access to a business portfolio. Remove users whose email addresses aren’t related to your business.

Limit number of users with full control of the business portfolio

Having too many users with full control of the business portfolio may pose a security risk. Limit full control to only those who need it, ideally 10 or fewer people.

Learn more about how to change people’s access to a business portfolio.

Add another review of your ads with peer approval

Bad actors often run unauthorized ads, and these ads may be published without requiring a peer review. To require a review by a trusted user before ads are published, set up ad account and domain security in peer approval.

Learn more about how to add a second review with peer approval

Remove users detected with possible malware

Malware is malicious software that could lead to harmful activity in a business portfolio. Remove people from the portfolio who may have malware on one of their devices.

Learn more about protecting your accounts from malware.

Review shared credit lines with suspicious activity

Bad actors may gain access to shared credit lines to run their own ads. Review your credit lines and the businesses they’re shared with. Remove any that have suspicious or unauthorized activity.

Learn more about billing and payments.

Here are some additional actions you can take to help make your business portfolio more secure.

Set up passkeys

Set up passkeys for every Facebook user in your business portfolio, particularly admins. Passkeys are a stronger, more secure two-factor authentication method than SMS codes, helping protect access to your portfolio settings.

Learn more about how to create a passkey to access your portfolio settings.

Avoid two-factor authentication issues

To avoid login issues with two-factor authentication:

• Use an authenticator app. Remember to back up your authenticator app in case you lose access to, or switch, your device.
• Set up multiple methods, including saving your recovery codes. This way you can still access your business portfolio, even if you lose one of the recovery methods.
• Update your phone number in your Facebook account settings after changing your mobile phone number to make sure you can receive security codes by text message or SMS.

Learn more about how two-factor authentication works on Facebook.

Make sure 2 people have full control of the business portfolio

It’s recommended (but not required) that 2 active people have full control of a business portfolio. Also known as “second admin approval,” this provides additional security by adding a second layer of approval to sensitive actions, such as requests to share credit lines or change the access of someone with full control of the portfolio.

Having more than one person with full control also ensures someone else has top-level access to the portfolio in the event that one of your accounts or business assets shows suspicious activity.

Learn more about how to change people’s access to a business portfolio.

Report suspicious or unauthorized activity

If you notice suspicious or unauthorized activity, contact our support team.

Audit people’s level of access

Perform an audit of people in your portfolio to make sure they don’t have more permissions than they need. People with full control of the portfolio can export a file with users’ permissions from the People tab in Meta Business Suite's Settings. You’ll also find information on when they were last active and whether they have two-factor authentication turned on. Note: People who have been invited to join your portfolio but have not yet accepted are not included in this report.

Learn more about how to download people permissions.

Monitor business portfolio activity

Review your business history, a file of important events that occurred in your portfolio, to look for any unauthorized activity, such as changes to portfolio details, business assets and people. You can download your business history from the People tab or Business info tab in Meta Business Suite's Settings.

Learn more about how to download your business history.