Facebook is upgrading its login defenses by rolling out support for hardware security keys.
The move means that Facebook addicts can make their logins far more resistant to phishing and account hijackings – and makes the site more secure than banks' online services that provide just single-factor authentication.
Users can log into Facebook by tapping on a USB key connected to their computer after entering their password. That key is paired with the netizen's Facebook account and emits a special string to the social network, via the browser, that authorizes the login.
So if a crook learns your password, that information is no good without your physical two-factor authentication key. Facebook offers two-factor authentication via text messages, but this isn't as reliable or secure as a separate hardware token.
The same technology can be used to securely log into other services that support physical security keys for authentication, including Google, Dropbox, GitHub, Salesforce and others.
Press to confirm: hardware security keys for Facebook
Facebook’s blog post on adding security keys to accounts can be found here.
Facebook’s security team has previously estimated that 0.06 per cent of Facebook’s one billion-plus logins per day are compromised. It’s a small percentage, but it adds up to 600,000 dodgy logins per day.
Brad Hill, security engineer at Facebook, said: “We’re excited to offer people the additional option of using a security key to make logging into Facebook even more secure.”
The need for two-factor authentication is growing in part because of the growing prevalence of security breaches. Recent security threats have shown that mobile push apps and SMS-based authentication do not offer enough protection against the latest sophisticated phishing and man-in-the-middle attacks.
Brett McDowell, executive director of the Fast IDentity Online (FIDO) Alliance, added: “By adding FIDO authentication to its security portfolio, Facebook gives their users the option to enable unphishable strong authentication that is no longer vulnerable to social engineering and replay attacks using stolen shared ’secrets’ like passwords and one-time-passcodes.” ®