Forgot your password?
typodupeerror
Facebook Security Social Networks IT

Facebook Adds Two-Factor Authentication 124

Posted by timothy
from the your-name-and-your-real-name dept.
angry tapir writes "To help its hundreds of millions of users prevent unauthorized access to their accounts, Facebook has added an optional verification step to its log-in process. The new security feature, called Login Approvals, is a form of two-factor authentication."
This discussion has been archived. No new comments can be posted.

Facebook Adds Two-Factor Authentication

Comments Filter:
  • Security? (Score:4, Funny)

    by Anonymous Coward on Friday May 13, 2011 @07:15AM (#36116424)

    That's like putting a steel door on a straw house...

    • Re: (Score:3, Insightful)

      by Hultis (1969080)
      More like putting a steel door next to the regular one most people will still use.
      • by Anonymous Coward

        No, not really. That's a terrible analogy. More like offering a choice of a steel or a regular door.
        And people complaining about security - pah. It doesn't have to withstand assaults from highly skilled hackers, merely stop password guessing, etc. I have university students on my friends list who are regularly being 'facebook raped' and this, perhaps, would stop some that.

        • The forest-for-the-trees here is - what's the point of having extra login security for a website that has a business model that hinges on compiling and storing your personal information to sell to advertisers?

        • by S.O.B. (136083)

          What's with all the door analogies? This is Slashdot. It's supposed to be a car analogy. Fine, I'll do it myself.

          It's like locking a convertible when the top is down.

    • by Dunbal (464142) *
      It's like putting TSA employees in front of a gate.
    • by molnarcs (675885)

      That's like putting a steel door on a straw house...

      That's not Funny (mods!) that's accurate. You set all your privacy settings to friends only. You refuse all app invitations by default. And yet, your email address and every detail you publish will be handled to spammers on a silver platter by a single person who clicked on the "who viewed your profile" scam. Facebook is becoming MySpace - a platform for spammers, scammers and virus writers, not to mention Facebook's shady partners (Zynga & Co). I quit - I still have my profile, but left a message, a no

    • by akayani (1211810)
      It's only so they get your real name which they trade with and give to the CIA. It's nothing to do with anything but what benefits Facebook.
  • Harvesting (Score:2, Interesting)

    by tpotus (1856224)
    As someone pointed out in the article comments; This enforces fb's agenda to have its users submit as much personal info as possible to them.
    • by hodet (620484)
      Of course it does. We are not their customers. We are their product.
    • Not only that, but this seems to make harvesting people's numbers easier as well. "To make sure you are who you say you are, check your phone. In case you are somebody that doesn't know what the phone number is, it's: 1-559- -1331. We hold ourselves to the highest standards when handling your personal information."
  • by L4t3r4lu5 (1216702) on Friday May 13, 2011 @07:15AM (#36116432)
    Give us your telephone number.

    This isn't creepy at all.
    • by Anonymous Coward

      This is where services like text+ shine: get an SMS throw away number and those future call center initiated contacts will get spam filtered.

      • Except in this case the number needs to stay valid, otherwise you can't receive a text later on if you want to log in to facebook elsewhere.
    • by _0xd0ad (1974778)

      Implying they don't probably already have it. It's not like this is new. You've been able to link your Facebook account to your SMS number for a long time... you can get a text message whenever someone sends you a message or posts on your wall.

      Hell, Slashdot does it too. Enter your mobile number in the user prefs [slashdot.org] and then there are a number of site messages [slashdot.org] that can be set to notify you via Mobile Text.

  • by Anonymous Coward

    "Because if they steal your private data, we can't sell it to them!"

    • by curtisk (191737) on Friday May 13, 2011 @07:34AM (#36116512) Homepage Journal

      "Because if they steal your private data, we can't sell it to them!"

      Thats so sadly funny... Facebook isn't even the least bit shy anymore, "just give us you cell/mobile number, its for safety!" I wonder what new data correlations and connections they can now make with that extra tidbit of data in that database version of you(in the database version of the world)

      • Have you noticed how every news we get about "Two Factor Authentication" ALWAYS means "Mobile Phone Authentication"?

        I don't know if you read TFA, I did so just to confirm it but could see it coming from miles away. It has come to be that you don't really have to ask what kind of "Two Factor Authentication" they are scheming because it always always always means "Mobile Phone Authentication"

        • by rjstanford (69735)

          Its because most people already have a mobile phone, and thus they can offer this for free. They already have email verification though the "I forgot my password" process, so that wouldn't be newsworthy. What's the alternative, sending everyone a SecureID card? Should every website make you carry a keyfob to use it?

          • by Richy_T (111409)

            If openid were adopted more widely, you'd only need the one keyfob (or not at all depending on your provider)

            Though as it looks like facebook is likely to fill the niche that openid was intended for if things continue as they are, if facebook did this, that may be sufficient.

    • by pmontra (738736)
      That line seems to be very common today [slashdot.org].
  • by msauve (701917) on Friday May 13, 2011 @07:32AM (#36116500)
    This is Facebook, so the two factors are username and password.
    • by Seumas (6865)

      I can't believe I just laughed at that. God damn it.

    • by rsmith-mac (639075) on Friday May 13, 2011 @07:33AM (#36116508)

      Passwords are too hard to remember, particularly for the hardcore Facebook addicts. Instead it will be your username and your mother's name, that way you can quickly look it up on your friends list should you forget it.

    • by syousef (465911)

      This is Facebook, so the two factors are username and password.

      No they are password and captcha made of farmville goat.cx

    • Re: (Score:3, Funny)

      by Anonymous Coward

      With every app and advertising maker having full access anyway, I think this [wordpress.com] is what I think they have in mind. Now with TWO locks!

    • by Sulphur (1548251)

      This is Facebook, so the two factors are username and password.

      The two factors are zero and one.

    • Based on my experience with Facebook, the two factors are a browser cookie and a mouse click.

      • by dgatwood (11270)

        Pretty much. A browser cookie identifies that a specific machine no longer needs to be asked for auth, which means unless you're using HTTPS, it is trivially sniffable.

  • To help its hundreds of millions of users prevent unauthorized access to their accounts

    Is access by FB employees and TLA agents a form of authorized access or unauthorized?

  • I wonder if that's available in the UK. It would be nice to know that its costing them money every time you log in.
  • by Anonymous Coward

    Asking two different passwords isn't considered "two-factor" authentication.

    There are three factors:
    1) What I know (passwords, pin)
    2) What I have (tokens, smartcards)
    3) What I am (retina scan, fingerprint)

    For two-factor authentication you will need to have two of the three factors. Facebook uses a password and a code. It doesn't matter if they're different, it's still just one factor (what you know).

    • by Hultis (1969080)
      That code is sent to your phone though, which is something you have (and there's presumably a short time window to use that code) => two-factor authentication.
    • It sends the code to your phone, therefore it's "what I have". It's closer to a token than a password.

  • Just give them your mother's maiden name and your SSN and get it over with. Might as well just have your paycheck auto-deposited into their accounts. That's what they really want. Please someone tell me this Facebook is a fad. Maybe between Facebook outright selling your privacy and the hackers stealing your identity the faceless masses of people using this thing will get burned enough to run off somewhere else. It's time to seriously setup the next Facebook for the sheeple, then get anonymous to attac
  • So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.

    • by rjstanford (69735)

      So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.

      Meh. Simply adding the requirement - even if the codes never expired - would decrease the ability of a "password guesser" to gain access by a factor of several thousand (probably much more). Expiring the codes after a day would be just fine. Worrying about being 1,000,000 times more secure vs. only 10,000 times more secure is a silly reason to not do it the simple way.

  • by ray_mccrae (78654) on Friday May 13, 2011 @07:57AM (#36116610)

    I heard that the two form authentication will involve both your password and verification that you've posted a derogatory story about Google to your blog.

  • Facebook already has millions of mobile numbers from its users. Just about everyone I know updates their facebook via sms or mobile app. In fact, the app on the HTC phone that my brother uses didnt even beat around the bush. When he connected the first time he created the account from his phone using what i suppose is his phone#@carrier address
  • WTF is the point? (Score:5, Insightful)

    by geekmux (1040042) on Friday May 13, 2011 @07:57AM (#36116618)

    "To help its hundreds of millions of users prevent unauthorized access to their accounts..."

    Gee, that's nice Farcebook. Now, what exactly are you going to do about your privacy policies that change with the wind, forcing users to constantly monitor their settings to prevent "authorized" access?

    Hard to feel safe in the car when you don't trust the driver no matter how many seat belts you have on.

  • So Facebook gets to ask it's unsuspecting users for their mobile phone numbers in addition to the other data they now spew out into the eager hands of crackers and marketeers?

    Sweet.

  • by Lumpy (12016) on Friday May 13, 2011 @08:10AM (#36116688) Homepage

    "we will text your phone."

    Because our admins are too stupid to remember that in the USA it costs money to receive text messages and not everyone is a tween that has unlimited texting on their phones K?

    • by icebraining (1313345) on Friday May 13, 2011 @08:20AM (#36116728) Homepage

      So would it be better for them not to implement it at all because you don't want to use it?

      Lots of people 1) don't live in the US, and therefore doesn't pay for incoming SMS, 2) have SMS packages or 3) don't mind paying, since it's not for every login but only when a new device is used.

      If you don't want to use it, nobody forces you to.

      • by Lumpy (12016)

        Email is free to 99.997831% of the world. and "GASP" most smartphones have a data plan required but not the $30.00 a month TXT UR FRNDS plan. Plus email allows those that dont have a cellphone to do it as well.

        It's called thinking a plan through so that the largest segment can access the feature.

        • by icebraining (1313345) on Friday May 13, 2011 @10:25AM (#36117644) Homepage

          Largest segment? You do know that the vast majority of the world, including the US, still uses more feature phones than smartphones?

          Not to mention that for most people if you know they're FB password you can probably access their email too; from password reuse to finding their secret answer (like your candidate for vicepresident), it's almost useless as a second authentication mechanism.

          And you don't need a $30/month plan to receive one SMS a month, if that. How many times do you realistically use FB from a new device?

        • by rjstanford (69735)

          They already have email access. In fact, their FAQ states that if your phone is b0rked you can authorize a new computer through an email process.

          Besides, if you're logging on to Facebook through a new computer, maybe you don't want to pull up your email on the same new computer? Not everyone has webmail, you know. Besides, that also removes one of the two factors - instead of a password and a device, you now need two passwords. Very different.

    • by ledow (319597) on Friday May 13, 2011 @08:28AM (#36116770) Homepage

      I have to say - paying to receive SMS is possibly the most stupid thing I've ever heard anyone agree to. It was back when mobile phones first came out and still is now.

      The problem is not Facebook there - the problem is people who tolerate a stupid system where you can end up paying for something you never asked for.

      • by Chemisor (97276) on Friday May 13, 2011 @09:25AM (#36117160)

        Ok, wise guy; what are we supposed to do about it? There are only four carriers in the US, and they all charge for receiving text messages. Obviously, you only have two options: either not own a cellphone, or to start your own carrier. Not owning a cellphone does not hurt the carrier, since they have plenty of other customers who don't mind paying for text messages, or just can't live without a cellphone. No carrier will miss you. They will, in fact, want you to leave, since you are a cheapskate who does not make them money by signing up for an expensive monthly contract. Heck, you probably use prepaid, which is not making them any money at all! Your other option of starting your own carrier is not viable due to lack of capital. You'll need to build a few million cell towers, since if you just rent from the existing carriers you'll have to conform to their pricing plans or lose money. Who will lend you the money? Nobody. So, as you can see, we're all pretty much screwed and can do nothing about it.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          I e-mailed Sprint and told them I didn't want to pay for texts, since I only receive a few a month. To summarize, they replied "No problem, we'll put you down for 200 free texts a month. Is that all you need, or can we help you with something else?". I was shocked, but service like that will retain me as a customer. I went so far as to write a response to commend them for it.
           
          But I guess your way works too: do nothing. Can't be disappointed if you never try, right?

        • by mikestew (1483105)

          Ok, wise guy; what are we supposed to do about it?

          Google Voice, as one option, and I'm pretty sure there are others. From my POV, paying for texting is like getting your TV from a company that wants $80/month: quaint, but unnecessary.

          • by panZ (67763)
            Google Voice is not an option. As of right now, Facebook will not send an SMS to a Google Voice number.
        • by doshell (757915)

          Well, for starters you could *gasp* forbid the operators through legislation from charging for received messages...

        • by rsborg (111459)

          There are only four carriers in the US, and they all charge for receiving text messages

          Soon to be three as AT&T digests T-Mobile. This SMS payment problem is only going to get worse (AT&T recently removed it's lowest tier of SMS plans and now you pay $10/mo for 1000 or $.20 a message for ad-hoc).

      • by N1AK (864906)
        It makes perfect sense, if users are given the some control over which SMS are charged. You 'pay' for receiving an email (although most people do so via the effectively unlimited bandwidth they have pre-purchased). Not paying for incoming phone and text communications is why we haven't got services like google voice in the UK. It also means that their is no motivation for mobile operators to decrease the sms delivery charge because their customer isn't paying for it anyway
  • by anti-pop-frustration (814358) on Friday May 13, 2011 @08:29AM (#36116778) Journal
    This sounds like a ploy to harvest phone numbers from well meaning (if ill informed) users who care about security and who previously hadn't surrendered their phone number to facebook.

    Is there a valid reason for not offering the same service via email? Using, you know, the email address that facebook already has on record.
  • Yeah, we have two factor authentication. Don't worry, your account is safe. Nobody can access it except you, and us, and some of it from out advertisers, but nothing to worry about. Now give us more information we can sell.

    Love

    Facebook.

  • by Charliemopps (1157495) on Friday May 13, 2011 @08:38AM (#36116824)
    This will only insure that the data they collect on you is actually from you... there-by making it more valuable to the tens of thousands of businesses they then turn around and sell the information to.
  • by Loco3KGT (141999) on Friday May 13, 2011 @08:43AM (#36116846)

    Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.

    Thanks Facebook! (i immediately removed it and disabled the feature)

    • by ftobin (48814) *

      btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #)..

      Google voice doesn't work because it doesn't have an SMS gateway. Since I have the same problem, I emailed Facebook and suggested that they consider supporting sending one-time-passwords via email instead of only by SMS. It's almost as secure as receiving an SMS, especially if your email account also has 2-factor security, and doesn't cost a dime.

    • by Anonymous Coward

      I went into the profile editor, blanked out the mobile number, and saved it. It seemed to accept that, but the SMS 2-factor auth still works. Who knows if it will stay that way....

    • Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.

      Thanks Facebook! (i immediately removed it and disabled the feature)

      And then you can modify your privacy settings so that contact info is not viewable by any users other than you......

  • Kind of feels like that a scene in The Simpsons where Burns and Smithers walk through several layers of heavy security with lots of big heavy doors, only to end up in a little shed with an open door and a broken window. As long as I can click on a link and give an app the ability to write on my wall as me, with no explicit permissions to do so, I don't think extra password security is all that meaningful.
    • As long as I can click on a link and give an app the ability to write on my wall as me, with no explicit permissions to do so, I don't think extra password security is all that meaningful.

      You clicked. What further permission do they need?

      • by w_dragon (1802458)
        Clicking a random link while logged into facebook is not permission to post something on my wall as me. Well, right now it is, but it shouldn't be.
        • ||facebook.com^$third-party,domain=~fbcdn.net,domain=~facebook.com
          ||facebook.net^$third-party,domain=~facebook.com,domain=~fbcdn.net
          ||fbcdn.net^$third-party,domain=~facebook.com,domain=~facebook.net

    • by rjstanford (69735)

      In all fairness, you clicked on a link which caused a big popup window to appear stating, "{APPNAME} wants to learn about all your stuff, and your friends, and write on your wall, before showing you what kind of beaver mustache you are. Mmmmkay?" to which you had to very explicitly say "APPROVE!!!" Its not like they're making it a big secret. How would you handle it, exactly?

  • Two factor login?

    Q1: We will trawl your personal data to sell to advertisers, log in here...

    Q2: Are you sure you want your details to be sold to advertisers? Log in here...

  • 2 factor is useless if you never log the hell out of facebook. I just want my flippin session to timeout after 30 min >_>

    • by _0xd0ad (1974778)

      Why? You leave your computer unattended and unlocked where other people might be able to use it?

  • That's no good for those of us who don't have texting service on our phones. Who needs texting with a data plan (and IM readily available)?
  • by Anonymous Coward

    From the article:

    Even interns like myself are tasked with big projects to help improve account security. Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook.

    They tasked an INTERN with security?!?

  • The covert threat is: you either submit your mobile phone number or we will not protect you anymore.

    I keep the details I hand to FB to an absolute minimum, and my phone numebr is certainly not going to be added. The problem I see is that I have no way to disable SMS spam, so once FB decided to resell data again I might as well get a new number (with all the associated costs).

    It would be smarter if they finally implemented OpenID support, because you can then simply choose the service that you deem safest.

  • I'd rather they allow authentication via google ID, so I can use google's more versatile two-factor auth.
  • by t-twisted (937590)
    facebook.com still points to http://www.facebook.com/ [facebook.com] by default, I'll wait for the headline when THAT changes.
  • They can go to hell. I don't want them having my phone number. Fail, fail, fail.

% A bank is a place where they lend you an umbrella in fair weather and ask for it back the when it begins to rain. -- Robert Frost

Working...