Facebook ups security with Fido U2F two-factor authentication

Facebook is upgrading the login security for its 1.79 billion users by integrating the “un-phishable” protection Fido U2F security keys into its social platform.

The universal second factor (U2F) standard published by the Fast IDentity Online (Fido) Alliance enables second-factor Fido authentication security to be added to password-based systems through an authenticator such as a Fido-compliant USB key.

According to Facebook, this form of two-factor authentication means all users of the social networking platform can make their account logins practically immune to phishing and takeover. 

To log in using the feature, users will simply tap a Fido U2F USB key and enter a password. The U2F USB keys are available from Amazon or Yubico.

The same U2F USB key can be used for the two-factor authentication enabled for Google, GitHub, Dropbox, Salesforce, Dashlane and other online services.

Facebook’s security team has previously estimated that 0.06% of Facebook’s 1 billion-plus logins – 600,000 – are compromised each day.

By using a U2F security key, logins are practically immune to phishing because the hardware provides cryptographic proof that the account is being accessed by the account holder’s computer.

Security experts have long campaigned for better security around account logins, which is provided by two-factor authentication methods.

However, recent security threats have shown that mobile push apps and SMS-based authentication do not offer enough protection against the latest sophisticated phishing and man-in-the middle attacks.

Facebook users with a U2F USB key can register the key and associate it with their account through the Facebook security settings.

Once a security key is registered and authenticated with a Facebook account, users will not need to use the key again to log in to Facebook on a device until they clear the browser’s cache.

Facebook considers the device “trusted” for convenience, which means that if a hacker attempts to log in to your account from another device, they will be blocked unless they also happen to have the password and the physical key.  

All mobile users will benefit from the extra security provided by security key and two-factor authentication. If users have an Android phone that supports NFC, they can use a YubiKey NEO key to authenticate to Facebook’s mobile site.

“We are excited to offer security keys as an additional option to make login to Facebook even more secure,” said Facebook security engineer Brad Hill.  “We are grateful to Yubico for the support and feedback they have provided.”

Yubico and Google co-created U2F with the vision to deliver easy-to-use, strong public key cryptography for internet scale. Yubico developed the first Fido U2F authenticator, published free and open source code for clients and servers, and continues to drive this work within open standards organisations, including the Fido Alliance and the World Wide Web Consortium (W3C).

According to Facebook, a study on internal and external security key usage by Google validates the fact that U2F is one of the most secure, easy to use and cost-efficient authentication technologies.

The fact that users can have multiple affordable backup keys helps to limit the number of support calls compared with phone-based authenticators.

In a time when security breaches have become a serious threat to trust in the internet, Facebook said Fido U2F offers a secure link between users and the services they connect to.