Facebook announced on Jan. 26 that it is supporting Security Key technology, based on the FIDO Alliance Universal 2nd Factor (U2F) standard, in an effort to improve security and reduce the risk of user account takeovers.
With an increasing volume of data breaches that have leaked user passwords, the need for strong authentication methods, beyond just a simple username and password, has become increasingly apparent. Facebook has had a optional feature called Login Approvals since May 2011, providing users with a one-time code via an application or SMS message, that is required in order to log into an account.
The new U2F support goes a step further, providing the option for Facebook users to use a USB security key that is plugged into a device, in order to gain secure access. The U2F standard was first announced by the FIDO (Fast Identity Online) Alliance in December 2014 as a method to help improve strong authentication. With a U2F security key, a user does not need to wait for an SMS message or a code from an application, either of which could potentially be intercepted by an attacker.
With the new U2F Security Key support, Facebook will now join multiple other large organizations that have adopted the technology.
“It’s very similar to all the internet services that have support for FIDO U2F, including Google, Dropbox, Salesforce, GitHub, and gov.UK,” Stina Ehrensvard, CEO and Founder, Yubico, told eWEEK.
Yubico is one of the main contributors to the U2F standard and sells security keys that can be used by Facebook users. While Facebook is now embracing U2F, the company is not a member of the FIDO Alliance.
“Facebook is not a member of the FIDO Alliance, but I participated there previous to joining Facebook,” Brad Hill, Security Engineer at Facebook, told eWEEK. “We didn’t specifically work with Yubico to enable this from a product perspective, but they provided valuable feedback on our implementation and have supported our announcement.”
Hill added that while Facebook is now supporting U2F, the social networking site will continue to support Login Approvals, with codes delivered over SMS or from a code generator app. Additionally, he noted that Facebook’s mobile apps have a built-in code generator feature. Alternatively, individuals can use any third-party app supporting the Time-Based One-Time Password (TOTP) standard, such as Duo or Google Authenticator.
While Facebook has supported multi-factor authentication since 2011, it’s unclear how many users take advantage of the capability.
“We don’t have numbers to share about adoption, but we hope that providing additional options like Security Key will help make two-factor features more convenient for people,” Hill said.
When the popular GitHub online code development site decided to support U2F in 2015, it helped to advance adoption by giving away Yubico Security Keys at its developer conference. Facebook also is taking steps to help get Security Keys into its users’ hands.
“We’re starting by letting people know where they can get these keys,” Hill said. “At the upcoming Enigma Conference in Oakland next week, we plan to give out some keys as well.”
Google is among the earliest large adopters of U2F and in December 2016, the company released a two-year research study about Security Key usage. The study concluded that Security Keys contribute to improved security as well as lower costs.
Facebook has its own expectations for U2F adoption and how it will help to improve security.
“There is no one-size-fits-all solution for the nearly 1.8 billion people who connect through Facebook, and all the diverse ways they use our platform,” Hill said. “It is important to provide a variety of options so that everyone can access the tools that are right for them to feel confident and in control of their account security.”
“We hope that people will find Security Keys a convenient way to make their online lives more secure, not just on Facebook, but also at other services like Google and Dropbox,” he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.