nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Your Facebook account is now more secure than your bank's (probably)

Protect those baby pics and political rants with hardware two-factor auth keys

By John Leyden, 26 Jan 2017

Facebook is upgrading its login defenses by rolling out support for hardware security keys.

The move means that Facebook addicts can make their logins far more resistant to phishing and account hijackings – and makes the site more secure than banks' online services that provide just single-factor authentication.

Users can log into Facebook by tapping on a USB key connected to their computer after entering their password. That key is paired with the netizen's Facebook account and emits a special string to the social network, via the browser, that authorizes the login.

So if a crook learns your password, that information is no good without your physical two-factor authentication key. Facebook offers two-factor authentication via text messages, but this isn't as reliable or secure as a separate hardware token.

FIDO-compliant Universal 2nd Factor (U2F) keys cost £16.00 ($20) from the likes of Amazon's marketplace and Yubico. NFC-capable keys can be paired with compatible mobile devices for mobile logins.

The same technology can be used to securely log into other services that support physical security keys for authentication, including Google, Dropbox, GitHub, Salesforce and others.

Press to confirm: hardware security keys for Facebook

Facebook’s blog post on adding security keys to accounts can be found here.

Facebook’s security team has previously estimated that 0.06 per cent of Facebook’s one billion-plus logins per day are compromised. It’s a small percentage, but it adds up to 600,000 dodgy logins per day.

Brad Hill, security engineer at Facebook, said: “We’re excited to offer people the additional option of using a security key to make logging into Facebook even more secure.”

The need for two-factor authentication is growing in part because of the growing prevalence of security breaches. Recent security threats have shown that mobile push apps and SMS-based authentication do not offer enough protection against the latest sophisticated phishing and man-in-the-middle attacks.

Brett McDowell, executive director of the Fast IDentity Online (FIDO) Alliance, added: “By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen shared ’secrets’ like passwords and one-time-passcodes.” ®

The Register - Independent news and views for the tech community. Part of Situation Publishing