Amid mounting criticism of Facebook’s attitude to its users’ privacy and safety, the social network has announced that it is introducing a two-factor authentication system in an attempt to prevent unauthorised logins to accounts.
The idea is that if you log into your Facebook account from a computer or mobile device that Facebook doesn’t recognise as one that you have used before to access the website, then you’ll have to enter a code to confirm you are who you say you are.
I’m glad to see Facebook introduce what sounds like an additional layer of protection for users, at least for those users who chose to enable the option. Two factor authentication doesn’t address the many other Facebook privacy and safety concerns that are troubling users, but it’s no bad thing.
Unfortunately the short mention of the feature on Facebook’s blog leaves some questions unanswered.
1. How can users enable the option? My guess is that users will find the option, once it has been rolled out to their accounts, under Account / Account settings / Account security, but it would have been nice if Facebook had told people. None of the Facebook accounts I have checked so far appear to have received the option, so I cannot confirm.
2. How often will the code change? It would be sensible if the code changed each time someone tries to access your Facebook account from an unknown computer, but Facebook doesn’t say in its blog post.
3. How will users receive the code? Again, Facebook doesn’t say. But my guess is that Facebook will send you the code via an SMS message to your mobile phone. That means, of course, that you have to trust Facebook with your mobile phone number which privacy-conscious people may be understandably wary of doing.
The one-time password system announced by Facebook last October also relied upon SMS messages – which raised some valid safety concerns.
So, it sounds like it may be a case of swings and roundabouts. A win for security and privacy on one hand is a loss on the other, as you have to trust Facebook with your phone number.
Remember, Facebook has been wanting your mobile phone number for some time and isn’t been above using scare tactics to get you to hand it over.
I, for one, won’t be handing over my mobile phone number to Facebook in exchange for this two-factor authentication system.
I might, however, have considered signing up for a small hardware token that I could keep on my keychain, and rely upon it produce a one-time code that can be entered at login alongside my username and password.
You may have seen such devices being offered by online banks and some of the major online games like World of Warcraft.
Of course, such authentication devices cost money and require infrastructure changes at the website’s end, but – hey! – if Facebook introduced something like that they could potentially charge a small amount of money for those users who want to take a stronger line on their privacy and online safety.
If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.
Update: Naked Security follower Neil Adam raises the valid point that you probably wouldn’t want a hardware authentication fob for every website you log into. If we did, we’d probably all have very lumpy trouser pockets.
22 comments on “Facebook’s two-factor authentication announcement raises questions”
Google uses a authentication app to generate a code for their 2 factor authentication.
Yes, Google has an app for Android/Blackberry/iPhone, but can also send an SMS. See http://googleblog.blogspot.com/2011/02/advanced-s…
i do not even have a cell phone
seems security for stuff demands we get a cell phone even if not able to afford one and pay to get text messages – then the privacy problems
data stealing and face book playing with screwing us out of privacy and cell phone numbers get out to massive spammer lists and we pay for each message just to be a victim of spammers and scammers
i will never get a cell phone just because others demand to send me text messages – i am not a billionaire and not able to afford to run up charges to get text messages because places demand me let them
It reminds me of the “Credit Card Necessary” fiasco – that started becoming popular in the late 90’s. It quickly was becoming so prevalent that businesses expected everyone to carry a credit card to use as validation and authentication, despite what your method of payment was or the type of service being used/offered. It wasn’t only restricted to payed-for services. I was once asked for my credit card to “authenticate” my identity, just to join the GAP mailing list; I declined. Debit cards or cash and a driver’s license should be more than enough for rental use, for things like Hotels and autos – but we’ve become such a credit driven society, it becomes a method of measure and control. Every time someone asks for or insists that I need a credit card, just to use their service or “authenticate” my identity – whether or not I am purchasing something – I hesitate, weight my options, and usually just decline.
I have https enabled plus FB sends me an email when a different machine logs in. I wouldn't be too happy to give FB my mobile number.
Trouble with FB is it is far too big to ignore and as I work in Social Media I have to engage with it but tbh I really don't trust it. Their system is a nightmare to work through and their handling of other people's data is dreadful. All you can do is lock it down tight and don't post anything you don't want shared widely.
Everyone seems to think that the https: option is going to protect them from everything. IT'S NOT. It is only helpful in some very specific instances. It will only keep someone from grabbing your username and password if you are on an insecure network. In other words if you have your desktop connected via Ethernet to your router/modem, https: is unlikely to make a difference. If you are using your laptop in a bookstore or coffee shop, best use it.
http: WILL NOT protect you if you fall for a SPOOFED login page and you willingly give away your password. Two-Factor Authentication WILL.
Yep this sure wouldnt work for me, as I often use my cousins computer to sign into my Facebook and each time it asks me if this is a new computer which I tell it once again that not it is indeed my cousins, then I click the do not ask again. I also do not own a cell phone, so no go there. I wish they would make it harder for people to use the current scams. I hope this might in some way help by making it harder to access someones account, but when people click on the very apps and such that allow these people access, they are pretty much giving them the go ahead as is.
Verisign has an iPhone app that replaces the dongle, minimizing the lumpy trouser issue.
However, after last months RSA breach, they may no longer be considered as trustworthy as they were once before.
So do you believe token maker RSA is more secure than Phone Factor??? RSA the company whose breach put the PII of 30 million people at risk? Everything cyber or physical can be breached. In America we publish everyone’s name, address and telephone number in a book and drop them along streets across the country. It’s called a telephone book. Even if your telephone number is unpublished you must give it out to businesses all of the time. Only the last man on earth will know true privacy – and loneliness. The world is a social, interactive place like it or not. We must decide to trust someone at some point. Thank goodness we still have the freedom to choose who we will trust.
I just gave Facebook a Google Voice number and was done with it….
I had the same thought about having an authinactor ! (and yes I got my idea from Blizzard as well) I did a cruddy little blog myself (not that your's is, yours is incredible) where I talked people giving out their information. I gave stats on what % of my friends who's mobiles I could see. Long story short,
" These 139 are personal friends who have been listening to me preach for two years to make themselves more secure and how to do it. Lets see if they listened.
Well the results are in. I'm pleased to say that all 16 of my facebook family members gave no info other than e-mail. So that leaves my 123 friends, lets see how they fared. I collected 31 cell phone numbers. Of those 31 only 2 were guys. Leaving 29 women who (let's be honest) are for the most part, young and quite attractive. 5 of these 29 women also listed their home/street address. I don't think I need to stress how bad an idea this is. ( By the way – I also collected 114 new e-mails and 43 instant messenger IDs) "
I know thats a small "case study" but I found it very telling.
Can you also provide some stats on how many have had problems because they didn't follow your adivce? And again for those who did have problems how severe were they?
It's good that Sophos are highlighting the various issues which is good to keep companies like FB in check. However I would also like to see some balance so people can work out the actual risk to themselves.
With so many people out there randomly calling foul it is slowly creating a culture of fear. Life is all about risk and managing that risk. Without any information on how risky FB et al is, many are adopting an all or nothing attitude and ignoring the endless and contradictory stream of (often shrill) "best practices" coming from various commentators.
Wow, I made a rather lot of typos. Oh well, you can understand it. http://facebook-and-computer-security-fixes.blogs… is my blog post that I had done and contains that information and more. But yes, 94% of the cell #s that I was able to view were women under 30, and 100% of the home addresses.
I wouldn't call, what Facebook is implementing, a true two-factor authentication.
I began using the new FB https setting back in February. I only use FB from my home desktop over DSL connection. I am also someone who clears the cache frequently for various reasons. This meant that I had to sign on to the new https just as frequently, too – giving my computer a “name” as requested at the secure sign on, which was then emailed to me as being “signed on.”
A little annoying but WTH, I was living with it for the ostensible “security” it was supposed to provide.
Imagine my surprise a few days ago when at the FB secure sign on FB blocked me from signing on. The message was that I had had “too many” sign ons from my computer (the one and only one I use for FB.) Um. What?
I tried again. Indeed I tried several times not realizing how I was going to get inside. Anybody home??? Let me the F in! Finally, I realized if I didn’t click “keep me logged in” and removed the “s” from https, it worked. I was allowed “in” to my own account. It probably was the “keep me logged in” unchecked that did it, but once in I went to security settings to uncheck the https setting. In the process, I also removed the log of all the sign-ins.
FB has neglected to tell us that what I suppose we must do, for someone like me, and that is to keep the secure log-in logs cleared. I can only guess because I don’t recall FB telling us anything as to how we might get locked out of our account for signing in as “secure” from a single computer TOO MANY TIMES.
I don’t plan on using https again.
Stories like this make me glad I've never joined Facebook. If they keep growing and manage to make membership compulsory, I'm going to find a nice quiet cave and become a hermit!
Problem as I see it… Some FB users do not have a cell phone.
What facebook needs to do is use a system like SyferLock’s GridAdvanced system. They have a cool system that allows uses to use one time passwords to log into any portal, without the need for dongles or phones – all you have to know is your password and then based on a grid displayed, you enter a numeric code. It is just what facebook needs !!!! We use this system at work and I think it will be a perfect fit !!!
I have to go through this bs with one of my credit cards. You see, I delete the cache, cookies, and history after every internet session. Without the cookies from the last session, they claim it's a new computer., and I have to get a code through my phone or email just to log on again. Sometimes it never arrives and I have to repeat the process. Since I am not going to stop clearing my cache for security purposes, and since I will not give my phone number to facebook, if it comes down to it, I will simply stop using facebook.
I currently own one dongle for work, once calculator thingie for my bank and have a bunch of two factor passwords for other accounts. The passwords are in an encrypted file on a USB stick. I often use these accounts when I travel, or from work and from home.
So currently I have to carry around a usb stick, a bank calculator and a dongle if I need access to everything. It's too much and I only carry what I really need and try to think ahead to avoid carrying anything at all.
The trouble is I can see that in the future I'll have more calculators and dongles. This is not a good thing.
I would like to see Sophos and others start calling for a unified authentication system. Something open, well thought out and publicly debated. Something like a dongle. One single dongle one person. When you sign up to something you register your dongle.
Having only one dongle has some obvious problems with the risk of the supplier being cracked, however the unified system should be open to allow multiple suppliers. This would mean that when there was an inevitable breach the damage would be limited. The unified system would also have breech (or loss) handling built into it to further mitigate any problems.
I use this sms feature and it worked at the weekend when i logged in from a college pc. But the problem then was i never received the SMS so i couldnt authorize it. I find the security getting a little better these days but there is quite a bit of setting up on lists/groups etc.
I like Yubikey for it’s affordability and ease of use. One key fits all!!