Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Facebook Offers FIDO-based Authentication Option

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Passwords have long been considered a security problem. The password theory is good; but is consistently abused by both consumers and some websites. Consumers often choose weak passwords, and even more frequently re-use passwords across multiple sites. Websites do not all store their passwords securely: sometimes in cleartext and sometimes with poor or compromised hashing algorithms. The effect is that regardless of the security in place at any one account — such as Facebook — accounts can still be compromised via legitimate user credentials stolen from elsewhere.

Facebook Security KitsAttempts to solve this problem have led to the evolution of multi-factor authentication; with an additional SMS-delivered one-time-code being the most popular. “Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone,” explains Facebook security engineer Brad Hill in a blog post today. “These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone.”

It’s a welcome option given that NIST recently declared that same-band SMS 2FA is no longer considered to be secure. If a user were to log into Facebook from the same phone as that is used to receive the second factor, then NIST would frown. 

The new authentication key avoids these issues and simultaneously increases security. The second factor is held within the USB key itself, so there is nothing for the user to remember or type in. 

Hill claims three specific advantages. Firstly, it makes the account ‘practically immune’ to phishing “because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.” An attacker would need to have both the user’s password and the physical token to access the account.

Secondly, the key is interoperable with any account that supports U2F — such as Google, Salesforce and Dropbox. This means that any user who already has a U2F key can simply add the details to Facebook’s login approvals option and use the same key.

Thirdly, says Hill, “If you use a security key with your desktop computer, logging in is as simple as a tap on the key after you enter your password.”

Brett McDowell, executive director of the FIDO Alliance, adds, “By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen ‘shared secrets’ like passwords and one-time-passcodes.”

Advertisement. Scroll to continue reading.

Facebook’s security key authentication currently only works with the latest version of Chrome and Opera, and doesn’t support the mobile Facebook app. “But if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website,” writes Hill.

The new option is being well-received by the security industry. “The move to adding hardware-based security keys is a huge step for Facebook to provide an additional layer of security for their users,” Nathan Wenzler, chief security strategist at AsTech Consulting told SecurityWeek. “Hopefully, more sites will follow Facebook’s efforts here and support these types of security keys in order to better protect their users from having their accounts compromised by hackers or any other non-authorized party.”

It also adds a welcome boost to the FIDO ecosystem. “Today we cross a major milestone in the growth of the FIDO ecosystem as Facebook endorses FIDO authentication standards by making this capability available to its billions of users,” says McDowell. “Consumers can purchase a security key from one of many FIDO Certified vendors in order to more securely access Facebook alongside Google and many other leading online services,” he adds. 

Prices on Amazon range from $8.00 to around $50.00.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...