Facebook Debuts Two-Factor Login Authentication

Friday, May 13, 2011



Facebook has implemented a new level of login security for users with the debut of a feature called "Login Approvals", a two-factor authentication process.

The new authentication feature allows Facebook users the option of requiring that a one-time numeric authentication code be entered in addition to the standard username/password combination if the network detects a login attempt from a device that has not been previously saved by the user.

Upon receiving a login attempt from an unrecognized device, Facebook will send the authentication code to the account holder via a SMS text message to the cell phone number the member has associated with their account.

If the user's username and password are ever compromised, unauthorized login attempts from unrecognized devices will be blocked for failure to provide the one-time authentication code, and the account owner will be notified of a failed attempt upon their next login.

"As more individuals and businesses turn to Facebook to share and connect with others, people are looking to take more control over protecting their account from unauthorized access. Login approvals is a Two Factor Authentication system that requires you to enter a code we send to your mobile phone via text message whenever you log into Facebook from a new or unrecognized computer. Once you have entered this security code, you’ll have the option to save the device to your account so that you don’t see this challenge on future logins," blogged Facebook's Andrew song.

To enable the "Login Approvals" option, users need to go to the "Account" drop-down menu in the upper right hand corner of their Facebook page, choose "Account Settings" and then the "Account Security" option.

Check the box for "Login Approvals" and follow the directions, you will need to have your cell phone handy to complete the process.

image image image   

It is also highly recommended that users enable the "Secure Browsing (https)" as well as "Login Notifications" options also located on the "Account Security for improved security.

Facebook is also considering other authentication options in the future, according to the blog by Song.

"One challenge in building login approvals was balancing security and usability.  Similar features on other websites require you to download authentication apps or purchase physical tokens to act as your second factor. These are good approaches, and we're considering incorporating them in the future, but they require a lot from the user before being able to turn on the feature.  To have the biggest impact and provide this added security to the most people, we decided on SMS as the best choice for a second factor," Song wrote.

Source:  https://www.facebook.com/note.php?note_id=10150172618258920&comments

Possibly Related Articles:
Network Access Control
Facebook Authentication Headlines HTTPS Security Login Two-Factor password
Post Rating I Like this!
Sarah Needham It’s great that Facebook is strengthening security by using two-factor authentication. People share so much personal information on Facebook that relying on a single layer of password protection is simply not enough. However, sending a code by SMS text message is not very secure because they are sent in clear text. If the user were to lose their phone or have it stolen, anybody could read that text message and fraudulently authenticate.

More websites need to use two-factor authentication like Facebook is doing, but a more secure and easier-to-use approach is to send an image-based authentication challenge to the user’s phone, like Confident Technologies provides: http://bit.ly/dMNzB5. A grid of pictures is displayed on the user’s smartphone and to authenticate, the user must correctly identify the pictures that fit their pre-chosen, secret categories. Even if someone else had possession of your phone, they wouldn’t be able to authenticate because they wouldn’t know your secret picture categories.
Shibu Yume I'm currently using a two-factor authentication app on the iphone for my facebook.

i don't trust facebook with my mobile number, and SMS isn't free all the time.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.