A post Snowden era has put the spotlight on how vulnerable online services can be. Many companies including Google and the New York Times have already adopted encryption when you view their websites (Fanvive does not use HTTPS, but we are working on it). While HTTPS secures what pages you view and the data you transfer, it offers very little protection from phishing or other unauthorized access on your accounts. Facebook has joined other online services and announced the adoption of hardware keys for enhanced Two Factor Authentication (2FA) when you log into your account from a new computer or browser.
The commonly adopted method of 2FA is to send a One Time Password (OTP) via SMS or email. While this method works for the majority of users, they still present a weak point due to the possibility of remotely compromising phones and email. The NIST has a draft proposal in the works that recommends depreciating this type of out-of-band authentication all together.
The evolution of 2FA is moving to a hardware solution. Universal 2nd Factor (U2F) is the leading open authentication standard that is hosted by the FIDO Alliance for use in USB and NFC devices. Providers of supported USB dongles include Yubico, Nitrokey, and DigiFlak.
Using a hardware key makes it easy to secure your online accounts from unauthorized access. According to Brad Hill, a security engineer at Facebook, Using security keys for two-factor authentication provides a number of important benefits:
- Phishing protection: Your login is practically immune to phishing because you don’t have to enter a code yourself and the hardware provides cryptographic proof that it’s in your machine.
- Interoperable: Security keys that support U2F don’t just work for Facebook accounts. You can use the same key for any supported online account (e.g. Google, Dropbox, GitHub, Salesforce), and those accounts can stay safe because the key doesn’t retain any records of where it is used.
- Fast login: If you use a security key with your desktop computer, logging in is as simple as a tap on the key after your enter your password.
Enabling the new security features can be done on the Facebook Security Settings Page once you have a supported hardware key as well as latest version of Chrome, Opera, or Firefox (using an add-on).