The Facebook signature wall in question is much bigger than this one, by the way. (credit: Matteo Artizzu)
Facebook is enhancing its existing protection against account takeovers with cryptographically based security keys that can be used as a second factor of authentication, the social network is announcing today.
A handful of online services—including Google, Dropbox, GitHub, and Salesforce—already support security keys based on the open Universal 2nd Factor, or U2F, standard, created by the Fido Alliance. The inexpensive devices, which plug into users’ USB port, were recently shown to beat out smartphones and most other forms of two-factor verification in a two-year study of more than 50,000 Google employees. That assessment was based on the ease of using and deploying keys, the security they provided against phishing and other types of account-takeover attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication.
Just as attackers can using phishing techniques to trick people into divulging their passwords, attackers can also trick people into divulging the one-time passwords that form the basis of most two-factor authentication schemes. Security keys, by contrast, rely on a cryptographic secret baked into their silicon. This data can’t be easily divulged. Security keys also can’t suffer from dead zones that often prevent cellphones from receiving text messages. The keys are also not susceptible to the types of malware compromises that can hit smartphones.