Two-Factor Authentication seems to be the next big thing to protect accounts from unauthorized access. Google recently enabled the feature for Google Accounts and now it is Facebook’s turn to introduce a similar feature for all Facebook users.
Two-Factor Authentication is being rolled out at the moment which means that the new feature is not available for all accounts yet.
What we know at this point is that it is turned off by default which means that users need to turn it on before it becomes available. This is similar to the always use HTTPS feature that was introduced earlier this year by Facebook.
It is likely that Two-Factor Authentication will become available under Account Security in the Facebook Settings, just like Secure Browsing (https) did earlier this year.
The blog post over at the official Facebook blog is vague about the new feature.
If you turn this new feature on, we’ll ask you to enter a code anytime you try to log into Facebook from a new device
This is a core difference to Google’s 2-Factor Authentication which stays active once it has been enabled for an account. Facebook’s Two-Factor Authentication on the other hand will only ask for the second code if a user tries to log in from a new device or computer which makes the protection a lot weaker.
Sites like The Next Web are reporting that the feature is similar to Google’s Two-step verification which it clearly is not, except for the fact that both systems ask the user to enter two codes to log in.
The blog post mentions additional improvements, including a switch back to HTTPS if you use an application that connects via plain http.
The remaining improvements concern family and online safety, more than they do security. A new social reporting tool has been revealed “that allows people to notify a member of their community, in addition to Facebook, when they see something they don’t like”.
Two-Factor Authentication is a step in the right direction, but Facebook users should have options to enable it for all logins on the social networking site, not only for log ins from new devices or computers, (via Caschy)
Related Articles:
Facebook Login Approvals, Optional Two-Factor AuthenticationLast Pass Sesame, 2-Factor Authentication For Last Pass Premium Users
Facebook Improves Security With Secure Browsing, Social Authentication
Facebook Adds Remote Logout Feature
Facebook Adds Download Your Information Feature
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
Google also provides an option to not require 2 factor authentication for the next 30 days in that browser, which I assume is done with a cookie. I regularly clear my cookies on exit. The result is that even if I check the “don’t ask for 30 days” box, I am still prompted after restarting my browser.
I suspect Facebook will be tracking your new devices using cookies, and those of us who clear cookies WILL be prompted every time.
Dave
David, they may also be tracking by IP, or a combination of factors.
Hi Martin,
It’s definitely possible. We’ll have to wait and see what they do. I thought tracking by IP would be “interesting” choice considering that many businesses and homes use various combinations of NAT and DHCP which would render it close to useless.
Dave
why not just use one strong password? i dont quite understand it…
Because most people do not. But since this is disabled by default, it will be no use to those Facebook users.
I liked it when Facebook introduced their SSL option, and I like this even more. The question is: how many will enable it? At Symantec, we commend Facebook for broadening security options, but now it is time for web users to take security seriously. With the inherent insecurity of our internet connections, people need to stay educated and take the necessary steps to protect their personal information online.
You were saying that you only have to enter the verification-code for new devices, so that makes the protection weaker when compared to Google’s solution.
Yet, you can remove a trusted device from the list, so then you will be confronted again with the verification-code process. I know, the Google’s version automatically untrusts a system after 30-days, so if FB implements that, same protection level if you ask me :-)
I agree, it would be more secure this way.