Two-Factor Authentication seems to be the next big security feature to protect accounts from unauthorized access. Google recently enabled the feature for Google Accounts and now it is Facebook's turn to introduce a similar feature for all Facebook users.
Two-Factor Authentication is being rolled out at the moment which means that the new feature is not available for all accounts yet. (Update: it is available now for all users)
What we know at this point is that it is turned off by default which means that users need to turn it on before it becomes available. This is similar to the always use HTTPS feature that was introduced earlier this year by Facebook.
Update: To enable Login Approvals on Facebook, do the following:
- Open Facebook and log in to your account.
- Click on the small down arrow icon in the top right corner and select settings from the context menu that opens up.
- Switch to Security and click on Login Approvals there.
Check the box to start the configuration process. Since it uses a mobile phone, you need to add your mobile phone number to the site first if you have not done so already.
Facebook sends you a code that you need to enter on the site afterwards to complete the process.
Once set-up, you can grab ten codes for use in situations where your phone is not available or cannot receive messages.
If you have installed the Facebook app, you can run Code Generator on it which generates codes for you as well that you can use without receiving messages. Update End
It is likely that Two-Factor Authentication will become available under Account Security in the Facebook Settings, just like Secure Browsing (https) did earlier this year.
The blog post over at the official Facebook blog is vague about the new feature.
If you turn this new feature on, we'll ask you to enter a code anytime you try to log into Facebook from a new device
This is a core difference to Google's 2-Factor Authentication which stays active once it has been enabled for an account. Facebook's Two-Factor Authentication on the other hand will only ask for the second code if a user tries to log in from a new device or computer which makes the protection a lot weaker.
Sites like The Next Web are reporting that the feature is similar to Google's Two-step verification which it clearly is not, except for the fact that both systems ask the user to enter two codes to log in.
The blog post mentions additional improvements, including a switch back to HTTPS if you use an application that connects via plain http.
The remaining improvements concern family and online safety, more than they do security. A new social reporting tool has been revealed "that allows people to notify a member of their community, in addition to Facebook, when they see something they don't like".
Two-Factor Authentication is a step in the right direction, but Facebook users should have options to enable it for all logins on the social networking site, not only for log ins from new devices or computers, (via Caschy)