Facebook Rolls-Out 2FA Hardware Keys for Log-Ins

Facebook has made a further move to improve log-in security for account users by announcing support for two-factor authentication (2FA) hardware keys.

The keys themselves have to be purchased by users and conform to the Universal 2nd Factor (U2F) standard from the FIDO Alliance.

Facebook already offers 2FA to its users, but only via text message or the Facebook app.

“These options work pretty well for most people and in most circumstances, but SMS isn't always reliable and having a phone back-up available may not work well for everyone,” explained security engineer, Brad Hill.

“Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you'll simply tap a small hardware device that goes in the USB drive of your computer.”

The main security benefit of a hardware key is that hackers can sometimes intercept SMS-based 2FA via Man in the Middle attacks.

Securing account access in this way will make it virtually immune to phishing attempts, and the keys can work with other FIDO Alliance members, including Google and Dropbox.

The keys will only work with Chrome and Opera at the moment, and aren’t supported on the Facebook app. However, users with NFC-enabled Android device can use NFC supporting keys to log-in to Facebook, as long as they have the latest version of Chrome and Google Authenticator.

“By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen 'shared secrets' like passwords and one-time-passcodes,” argued Brett McDowerll, executive director at the FIDO Alliance.

“Facebook is now using FIDO authentication to give consumers the ability to take control of their online security and protect themselves from being victims of the most pervasive attacks on the internet today.”

What’s Hot on Infosecurity Magazine?