Facebook introduces Two Factor Authentication

Google, Paypal, World of Warcraft, Mailchimp, etc. have all implemented user-facing two-factor auth also. It's the easiest way for them to protect against endpoint insecurity when attackers are going after user credentials en masse.<p>For any other site looking to implement this, check out our open-source web SDKs and service at Duo Security:<p><a href="http://www.duosecurity.com" rel="nofollow">http://www.duosecurity.com</a> <a href="https://github.com/duosecurity" rel="nofollow">https://github.com/duosecurity</a><p>At the very least, we highly recommend folks use it to protect their own cloud/datacenter infrastructure, and have made it free to do so (assuming you have 10 or less admins):<p><a href="http://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-back/" rel="nofollow">http://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-b...</a><p>We support callback, SMS, mobile apps for 7 platforms, as well as traditional hardware tokens for online and offline use...

It’s great that Facebook is strengthening security by using two-factor authentication. People share so much personal information on Facebook that relying on a single layer of password protection is simply not enough. However, sending a code by SMS text message is not very secure because they are sent in clear text. If the user were to lose their phone or have it stolen, anybody could read that text message and fraudulently authenticate.<p>More websites need to use two-factor authentication like Facebook is doing, but a more secure and easier-to-use approach is to send an image-based authentication challenge to the user’s phone, like Confident Technologies provides: <a href="http://bit.ly/dMNzB5" rel="nofollow">http://bit.ly/dMNzB5</a>. A grid of pictures is displayed on the user’s smartphone and to authenticate, the user must correctly identify the pictures that fit their pre-chosen, secret categories. Even if someone else had possession of your phone, they wouldn’t be able to authenticate because they wouldn’t know your secret picture categories.

Interesting point "If you ever lose or forget your phone and have login approvals turned on, you will still have the option to authorize your login provided you are accessing your account from a saved device."<p>In contrast to Google's solution which provides you with a set of fallback codes.

Facebook has been aching for my phone number and other details. Do you think this is security driven or put out as an entryway into greater interaction with your phone? I should note that I am old school and don't use a smartphone so that is part of my approach to thinking about this.

I tried to turn this on and never got the SMS confirmation they send, so I couldn't turn it on. That is kind of my worry with this kind of thing... if it doesn't work when you need to login, you are screwed. Why not just have the Facebook app generate the code?

The guys from MailChimp just created a webapp to enable 2-Factor Authentication for anyone. It's called AlterEgo <a href="https://alteregoapp.com/" rel="nofollow">https://alteregoapp.com/</a>

Would be curious to hear how their in-house TFA compares to some of the big enterprise vendors in the market

Interns keep kicking ass at Facebook.

This seems to me like just another backdoor way of being able to build a more robust database of personal information on you. With your mobile number and the numbers of all your friends, in coordination with the cell carriers (or NSA, whichever you prefer) they can tie together data about who you call &#38; how often with your friend activity on Facebook. Google has been doing it too, asking for a "mobile number backup" when you log into Gmail.<p>Just the next erosion of our privacy, disguised as a protection of our privacy.

Given the timing on this, I can't see it as anything but an attempt to distract from the fiasco currently going on with Facebook hiring a PR firm to smear Google.<p>That said, this is a pretty cool feature, and seems to play into Facebook's ongoing attempt to become the standard for identity on the internet - added security is a really good thing when your entire identity is tied to a single service.