Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Facebook Offers FIDO-based Authentication Option

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Passwords have long been considered a security problem. The password theory is good; but is consistently abused by both consumers and some websites. Consumers often choose weak passwords, and even more frequently re-use passwords across multiple sites. Websites do not all store their passwords securely: sometimes in cleartext and sometimes with poor or compromised hashing algorithms. The effect is that regardless of the security in place at any one account — such as Facebook — accounts can still be compromised via legitimate user credentials stolen from elsewhere.

Facebook Security KitsAttempts to solve this problem have led to the evolution of multi-factor authentication; with an additional SMS-delivered one-time-code being the most popular. “Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone,” explains Facebook security engineer Brad Hill in a blog post today. “These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone.”

It’s a welcome option given that NIST recently declared that same-band SMS 2FA is no longer considered to be secure. If a user were to log into Facebook from the same phone as that is used to receive the second factor, then NIST would frown. 

The new authentication key avoids these issues and simultaneously increases security. The second factor is held within the USB key itself, so there is nothing for the user to remember or type in. 

Hill claims three specific advantages. Firstly, it makes the account ‘practically immune’ to phishing “because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.” An attacker would need to have both the user’s password and the physical token to access the account.

Secondly, the key is interoperable with any account that supports U2F — such as Google, Salesforce and Dropbox. This means that any user who already has a U2F key can simply add the details to Facebook’s login approvals option and use the same key.

Thirdly, says Hill, “If you use a security key with your desktop computer, logging in is as simple as a tap on the key after you enter your password.”

Brett McDowell, executive director of the FIDO Alliance, adds, “By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen ‘shared secrets’ like passwords and one-time-passcodes.”

Facebook’s security key authentication currently only works with the latest version of Chrome and Opera, and doesn’t support the mobile Facebook app. “But if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website,” writes Hill.

The new option is being well-received by the security industry. “The move to adding hardware-based security keys is a huge step for Facebook to provide an additional layer of security for their users,” Nathan Wenzler, chief security strategist at AsTech Consulting told SecurityWeek. “Hopefully, more sites will follow Facebook’s efforts here and support these types of security keys in order to better protect their users from having their accounts compromised by hackers or any other non-authorized party.”

It also adds a welcome boost to the FIDO ecosystem. “Today we cross a major milestone in the growth of the FIDO ecosystem as Facebook endorses FIDO authentication standards by making this capability available to its billions of users,” says McDowell. “Consumers can purchase a security key from one of many FIDO Certified vendors in order to more securely access Facebook alongside Google and many other leading online services,” he adds. 

Prices on Amazon range from $8.00 to around $50.00.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...