Facebook Adds (Optional) Two-Factor Authentication
Two-Factor Authentication seems to be the next big security feature to protect accounts from unauthorized access. Google recently enabled the feature for Google Accounts and now it is Facebook's turn to introduce a similar feature for all Facebook users.
Two-Factor Authentication is being rolled out at the moment which means that the new feature is not available for all accounts yet. (Update: it is available now for all users)
What we know at this point is that it is turned off by default which means that users need to turn it on before it becomes available. This is similar to the always use HTTPS feature that was introduced earlier this year by Facebook.
Update: To enable Login Approvals on Facebook, do the following:
- Open Facebook and log in to your account.
- Click on the small down arrow icon in the top right corner and select settings from the context menu that opens up.
- Switch to Security and click on Login Approvals there.
Check the box to start the configuration process. Since it uses a mobile phone, you need to add your mobile phone number to the site first if you have not done so already.
Facebook sends you a code that you need to enter on the site afterwards to complete the process.
Once set-up, you can grab ten codes for use in situations where your phone is not available or cannot receive messages.
If you have installed the Facebook app, you can run Code Generator on it which generates codes for you as well that you can use without receiving messages. Update End
It is likely that Two-Factor Authentication will become available under Account Security in the Facebook Settings, just like Secure Browsing (https) did earlier this year.
The blog post over at the official Facebook blog is vague about the new feature.
If you turn this new feature on, we'll ask you to enter a code anytime you try to log into Facebook from a new device
This is a core difference to Google's 2-Factor Authentication which stays active once it has been enabled for an account. Facebook's Two-Factor Authentication on the other hand will only ask for the second code if a user tries to log in from a new device or computer which makes the protection a lot weaker.
Sites like The Next Web are reporting that the feature is similar to Google's Two-step verification which it clearly is not, except for the fact that both systems ask the user to enter two codes to log in.
The blog post mentions additional improvements, including a switch back to HTTPS if you use an application that connects via plain http.
The remaining improvements concern family and online safety, more than they do security. A new social reporting tool has been revealed "that allows people to notify a member of their community, in addition to Facebook, when they see something they don't like".
Two-Factor Authentication is a step in the right direction, but Facebook users should have options to enable it for all logins on the social networking site, not only for log ins from new devices or computers, (via Caschy)Advertisement
Google also provides an option to not require 2 factor authentication for the next 30 days in that browser, which I assume is done with a cookie. I regularly clear my cookies on exit. The result is that even if I check the “don’t ask for 30 days” box, I am still prompted after restarting my browser.
I suspect Facebook will be tracking your new devices using cookies, and those of us who clear cookies WILL be prompted every time.
David, they may also be tracking by IP, or a combination of factors.
It’s definitely possible. We’ll have to wait and see what they do. I thought tracking by IP would be “interesting” choice considering that many businesses and homes use various combinations of NAT and DHCP which would render it close to useless.
why not just use one strong password? i dont quite understand it…
Because most people do not. But since this is disabled by default, it will be no use to those Facebook users.
I liked it when Facebook introduced their SSL option, and I like this even more. The question is: how many will enable it? At Symantec, we commend Facebook for broadening security options, but now it is time for web users to take security seriously. With the inherent insecurity of our internet connections, people need to stay educated and take the necessary steps to protect their personal information online.
You were saying that you only have to enter the verification-code for new devices, so that makes the protection weaker when compared to Google’s solution.
Yet, you can remove a trusted device from the list, so then you will be confronted again with the verification-code process. I know, the Google’s version automatically untrusts a system after 30-days, so if FB implements that, same protection level if you ask me :-)
I agree, it would be more secure this way.