Connect with us

Hi, what are you looking for?


Identity & Access

Facebook Offers FIDO-based Authentication Option

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Facebook is adding support for a FIDO-based Universal 2nd Factor (U2F) authentication key to its multi-factor authentication process. This does not replace Facebook’s existing SMS-based second-factor option, but adds a more secure alternative for the security-conscious user.

Passwords have long been considered a security problem. The password theory is good; but is consistently abused by both consumers and some websites. Consumers often choose weak passwords, and even more frequently re-use passwords across multiple sites. Websites do not all store their passwords securely: sometimes in cleartext and sometimes with poor or compromised hashing algorithms. The effect is that regardless of the security in place at any one account — such as Facebook — accounts can still be compromised via legitimate user credentials stolen from elsewhere.

Facebook Security KitsAttempts to solve this problem have led to the evolution of multi-factor authentication; with an additional SMS-delivered one-time-code being the most popular. “Most people get their security code for login approvals from a text message (SMS) or by using the Facebook app to generate the code directly on their phone,” explains Facebook security engineer Brad Hill in a blog post today. “These options work pretty well for most people and in most circumstances, but SMS isn’t always reliable and having a phone back-up available may not work well for everyone.”

It’s a welcome option given that NIST recently declared that same-band SMS 2FA is no longer considered to be secure. If a user were to log into Facebook from the same phone as that is used to receive the second factor, then NIST would frown. 

The new authentication key avoids these issues and simultaneously increases security. The second factor is held within the USB key itself, so there is nothing for the user to remember or type in. 

Hill claims three specific advantages. Firstly, it makes the account ‘practically immune’ to phishing “because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.” An attacker would need to have both the user’s password and the physical token to access the account.

Secondly, the key is interoperable with any account that supports U2F — such as Google, Salesforce and Dropbox. This means that any user who already has a U2F key can simply add the details to Facebook’s login approvals option and use the same key.

Thirdly, says Hill, “If you use a security key with your desktop computer, logging in is as simple as a tap on the key after you enter your password.”

Advertisement. Scroll to continue reading.

Brett McDowell, executive director of the FIDO Alliance, adds, “By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen ‘shared secrets’ like passwords and one-time-passcodes.”

Facebook’s security key authentication currently only works with the latest version of Chrome and Opera, and doesn’t support the mobile Facebook app. “But if you have an NFC-capable Android device with the latest version of Chrome and Google Authenticator installed, you can use an NFC-capable key to log in from our mobile website,” writes Hill.

The new option is being well-received by the security industry. “The move to adding hardware-based security keys is a huge step for Facebook to provide an additional layer of security for their users,” Nathan Wenzler, chief security strategist at AsTech Consulting told SecurityWeek. “Hopefully, more sites will follow Facebook’s efforts here and support these types of security keys in order to better protect their users from having their accounts compromised by hackers or any other non-authorized party.”

It also adds a welcome boost to the FIDO ecosystem. “Today we cross a major milestone in the growth of the FIDO ecosystem as Facebook endorses FIDO authentication standards by making this capability available to its billions of users,” says McDowell. “Consumers can purchase a security key from one of many FIDO Certified vendors in order to more securely access Facebook alongside Google and many other leading online services,” he adds. 

Prices on Amazon range from $8.00 to around $50.00.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.