Facebook steps up security by allowing physical keys for log-in

Facebook has stepped up security for users with its announcement that in addition to its in-app support for two-factor authentication (2FA), it is now supporting 2FA with physical security keys.

This is great news for anyone who prefers not to use a smartphone app or rely on an SMS message for 2FA: all you need now is an internet connection and a compatible security token.

A quick refresher: you use 2FA to log in to a service, program, or website by authenticating you are who you say you are with two of the three factors below:

  • Something you know (eg a password)
  • Something you have (eg a key code)
  • Something you are (eg a fingerprint or iris scan)

We’ve covered why we think 2FA is a great idea and why you should enable it on services that offer it to you (and the list of services using 2FA grows by the day). If, upon logging in to a website or corporate computer, you’ve ever been asked to enter a numerical code sent to you by SMS or displayed on a key fob that you’ve been given, that’s 2FA at work.

The physical security keys that Facebook now supports for 2FA plug into a computer’s USB port – so, yes, you do at the very least need USB capabilities. There’s no specific brand or key that a Facebook user needs to buy: so long as it it supports the Universal 2nd Factor (U2F) standard, the key should work with Facebook’s 2FA protocols.

A popular option for U2F is Yubico’s YubiKey, which also allows 2FA logons for other apps like Dropbox and LastPass, so if you’re considering purchasing a token for Facebook, it’s not singular-use. (This is a bonus that Facebook itself touts in its official blog post on this announcement.)

When you enable the physical security key on your Facebook account, you’ll be prompted to simply touch a button on the USB key to acknowledge that the key is in your possession and you’re authorizing the login.

The catch is that you must be logging on to Facebook using a browser, and at this time only Chrome and Opera are supported (Firefox and Safari fans take note). The key also doesn’t work with the Facebook mobile app just yet.

We always recommend that you use a unique password and enable 2FA to keep your Facebook account safe from anyone who might try to break into it, or ensare you in a phishing attack.

You don’t need to be a high-profile user or celebrity to be wary of this happening to you: with so many services and apps using Facebook as their login protocol, you could  in effect be handing over the keys to the kingdom to a lot of services you use (and have financial information tied to) if your Facebook account is not properly secured.

By enabling 2FA on your account, it’s an additional signal to you that the service you’re logging into is indeed the real deal – and if, by chance, someone tries to fool you into giving away your credentials with a convincing phishing attack, the lack of a 2FA prompt will immediately signal that something is amiss. And unless an attacker has access to your physical token (something you have), even if they know or figure out your password, they still can’t access your account.