Facebook has upgraded the login security for its 1.79 billion users by integrating the unphishable protection of the FIDO U2F (universal 2nd factor authentication) Security Key into its social platform.
This means Facebook users, from individuals to the largest organizations, can have peace-of-mind knowing their account is safe and protected with a simple touch of a Security Key, such as the YubiKey. In the same way that people have keys to their car and home, they can now have a physical key protecting their Facebook profiles.
This also means that all the services accessed by logging in with Facebook accounts are protected too. The same Security Key can be used for logging in to the growing list of services supporting U2F, including Google, Dropbox, GitHub, Salesforce and many more.
Starting today, you can register a physical security key to your account so that the next time you log in after enabling login approvals, you’ll simply tap a small hardware device that goes in the USB drive of your computer. Security keys can be purchased through companies like Yubico, and the keys support the open Universal 2nd Factor (U2F) standard hosted by the FIDO Alliance.
The need for two-factor authentication (logging in with something you have and something you know) grows daily as headlines about breaches and hacked passwords continue to emerge. However, recent security threats have shown that mobile push apps and SMS based authentication do not offer enough protection against the latest sophisticated phishing and man-in-the middle attacks.
If users currently have a U2F-supported YubiKey and a Facebook profile, they can go into their Facebook security settings and set it up now (a link at the Yubico blog shows how to do this). For those who don’t have a YubiKey, they can purchase one (or two, as Yubico recommends having a backup). Once a U2F Security Key or YubiKey is registered and authenticated with a Facebook account, users don’t need to use the key again to log in to Facebook on that device until they clear the browser’s cache.
Using security keys for two-factor authentication provides a number of important benefits:
- Phishing protection: Your login is practically immune to phishing because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.
- Interoperable: Security keys that support U2F don’t just work for Facebook accounts. You can use the same key for any supported online account (e.g. Google, Dropbox, GitHub, Salesforce), and those accounts can stay safe because the key doesn’t retain any records of where it is used.
- Fast login: If you use a security key with your desktop computer, logging in is as simple as a tap on the key after your enter your password.
Facebook considers the device as “trusted” for convenience. This means if a hacker attempts to log in to your account from another device, they will be blocked unless they also happen to have the password and the physical key. All mobile users will benefit from the extra security provided by security key and two-factor authentication. If users have an Android phone that supports NFC, they can use a YubiKey NEO key to authenticate to Facebook’s mobile site.
“We’re excited to offer security keys as an additional option to make login to Facebook even more secure. We’re grateful to Yubico for the support and feedback they’ve provided.” said Brad Hill, Facebook Security Engineer.
Yubico and Google co-created U2F with the vision to deliver easy-to-use, strong public key cryptography for internet scale. Yubico developed the first FIDO U2F authenticator, published free and open source code for clients and servers, and we continue to drive this work within open standards organizations, including the FIDO Alliance and W3C.
A study on internal and external Security Key usage by Google validates that U2F is one of the most secure, easy to use, and cost-efficient authentication technologies. And as users can have multiple affordable backup keys, support calls have been significantly reduced compared to phone authenticators.
Historically, strong authentication has been tied to users’ real identities, or a central service provider. During the U2F development work, Yubico’s CTO, Jakob Ehrensvard, introduced the concept of an authenticator that works across any number of services, with no shared secrets. This allows users to be anonymous, and have multiple, yet secure identities. Today, U2F and YubiKeys are used to protect the privacy of individuals and organizations in 160 countries.
In a time when security breaches have become a serious threat to our trust in the internet, FIDO U2F offers a secure link between the user and the services we connect to. It’s an open standard, not controlled by governments or corporations – but in a simple way for users to take control over their own security and internet privacy. Today’s support in Facebook is an important milestone for making the internet safer for everyone.