Facebook Adds Two-Factor Authentication 124
angry tapir writes "To help its hundreds of millions of users prevent unauthorized access to their accounts, Facebook has added an optional verification step to its log-in process. The new security feature, called Login Approvals, is a form of two-factor authentication."
Security? (Score:4, Funny)
That's like putting a steel door on a straw house...
Re: (Score:3, Insightful)
Re: (Score:1)
No, not really. That's a terrible analogy. More like offering a choice of a steel or a regular door.
And people complaining about security - pah. It doesn't have to withstand assaults from highly skilled hackers, merely stop password guessing, etc. I have university students on my friends list who are regularly being 'facebook raped' and this, perhaps, would stop some that.
Re: (Score:2)
The forest-for-the-trees here is - what's the point of having extra login security for a website that has a business model that hinges on compiling and storing your personal information to sell to advertisers?
Re: (Score:2)
It gets them your phone number.
Re: (Score:3)
What's with all the door analogies? This is Slashdot. It's supposed to be a car analogy. Fine, I'll do it myself.
It's like locking a convertible when the top is down.
Re: (Score:2)
Re: (Score:2)
That's like putting a steel door on a straw house...
That's not Funny (mods!) that's accurate. You set all your privacy settings to friends only. You refuse all app invitations by default. And yet, your email address and every detail you publish will be handled to spammers on a silver platter by a single person who clicked on the "who viewed your profile" scam. Facebook is becoming MySpace - a platform for spammers, scammers and virus writers, not to mention Facebook's shady partners (Zynga & Co). I quit - I still have my profile, but left a message, a no
Re: (Score:1)
Harvesting (Score:2, Interesting)
Re: (Score:2)
Re: (Score:1)
Protect your MafiaFarmPetVilleWars! (Score:4, Insightful)
This isn't creepy at all.
Re:Protect your MafiaFarmPetVilleWars! (Score:4, Informative)
Actually Google's uses a special app, Google Authenticator. No phone number required.
Re: (Score:3)
Only if you have an Android phone. Otherwise, and even if you do, you can opt for/have to use text messages, an automated phone call, or a OTP you printed earlier.
Re: (Score:3)
Actually, it appears that there's not only an iPhone app, but a Blackberry app, too.
Still, I don't think I'll be taking advantage of Facebook's offer, here. Don't like the idea of Facebook having my phone number. Judging by the other comments, I can see I'm not alone.
Re: (Score:2)
The Google Authenticator app for the iPhone works perfectly.
Re: (Score:2)
Is there an equivalent that runs on Windows, OS X, or Linux?
Re: (Score:2)
Blackberry and iPhone, yes. Otherwise, having the program on a non-mobile platform seems rather useless.
thank you (google voice | text+ | your virtual #) (Score:2, Insightful)
This is where services like text+ shine: get an SMS throw away number and those future call center initiated contacts will get spam filtered.
Re: (Score:1)
Re: (Score:2)
Implying they don't probably already have it. It's not like this is new. You've been able to link your Facebook account to your SMS number for a long time... you can get a text message whenever someone sends you a message or posts on your wall.
Hell, Slashdot does it too. Enter your mobile number in the user prefs [slashdot.org] and then there are a number of site messages [slashdot.org] that can be set to notify you via Mobile Text.
FaceBook adds Two Factor Authentication (Score:1)
"Because if they steal your private data, we can't sell it to them!"
Re:FaceBook adds Two Factor Authentication (Score:5, Insightful)
"Because if they steal your private data, we can't sell it to them!"
Thats so sadly funny... Facebook isn't even the least bit shy anymore, "just give us you cell/mobile number, its for safety!" I wonder what new data correlations and connections they can now make with that extra tidbit of data in that database version of you(in the database version of the world)
Two Factor Authentication == Phone Authentication (Score:2)
Have you noticed how every news we get about "Two Factor Authentication" ALWAYS means "Mobile Phone Authentication"?
I don't know if you read TFA, I did so just to confirm it but could see it coming from miles away. It has come to be that you don't really have to ask what kind of "Two Factor Authentication" they are scheming because it always always always means "Mobile Phone Authentication"
Re: (Score:2)
Its because most people already have a mobile phone, and thus they can offer this for free. They already have email verification though the "I forgot my password" process, so that wouldn't be newsworthy. What's the alternative, sending everyone a SecureID card? Should every website make you carry a keyfob to use it?
Re: (Score:2)
If openid were adopted more widely, you'd only need the one keyfob (or not at all depending on your provider)
Though as it looks like facebook is likely to fill the niche that openid was intended for if things continue as they are, if facebook did this, that may be sufficient.
Re: (Score:2)
Anonymous delivers!
Re: (Score:2)
Let me guess... (Score:5, Funny)
Re: (Score:1)
I can't believe I just laughed at that. God damn it.
Re:Let me guess... (Score:4, Funny)
Passwords are too hard to remember, particularly for the hardcore Facebook addicts. Instead it will be your username and your mother's name, that way you can quickly look it up on your friends list should you forget it.
Re: (Score:2)
This is Facebook, so the two factors are username and password.
No they are password and captcha made of farmville goat.cx
Re: (Score:3, Funny)
With every app and advertising maker having full access anyway, I think this [wordpress.com] is what I think they have in mind. Now with TWO locks!
Re: (Score:1)
This is Facebook, so the two factors are username and password.
The two factors are zero and one.
Re: (Score:2)
Re: (Score:1)
Based on my experience with Facebook, the two factors are a browser cookie and a mouse click.
Re: (Score:2)
Pretty much. A browser cookie identifies that a specific machine no longer needs to be asked for auth, which means unless you're using HTTPS, it is trivially sniffable.
Details needed (Score:2)
To help its hundreds of millions of users prevent unauthorized access to their accounts
Is access by FB employees and TLA agents a form of authorized access or unauthorized?
Re: (Score:1)
I wonder if that's available in the UK (Score:2)
It's not two-factor authentication. (Score:1)
Asking two different passwords isn't considered "two-factor" authentication.
There are three factors:
1) What I know (passwords, pin)
2) What I have (tokens, smartcards)
3) What I am (retina scan, fingerprint)
For two-factor authentication you will need to have two of the three factors. Facebook uses a password and a code. It doesn't matter if they're different, it's still just one factor (what you know).
Re: (Score:2)
Re: (Score:1)
It sends the code to your phone, therefore it's "what I have". It's closer to a token than a password.
Better yet (Score:1)
Re: (Score:2)
Web monkeys too busy writing FB Apps and getting paid.
Re: (Score:1)
What's the duration? (Score:1)
So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.
Re: (Score:2)
So... rather then provide a fob or phone app to provide a "one-time" number that constantly changes, they'll SMS it to your phone. Well, it's not exactly instant and depending on network load can take a while (ok the 4 hour delays at new year are a bit of an exception from the norm). It seems to me that the "one-time" number has to remain valid for quite a while and every second would increase the vulnerability.
Meh. Simply adding the requirement - even if the codes never expired - would decrease the ability of a "password guesser" to gain access by a factor of several thousand (probably much more). Expiring the codes after a day would be just fine. Worrying about being 1,000,000 times more secure vs. only 10,000 times more secure is a silly reason to not do it the simple way.
Re: (Score:1)
You would be better off assuming they will sell your phone number.
Extra layer of security (Score:5, Funny)
I heard that the two form authentication will involve both your password and verification that you've posted a derogatory story about Google to your blog.
Re: (Score:1)
Stupid mis-click. Posting to remove bad mod. :(
as if you guys dont know.... (Score:2)
WTF is the point? (Score:5, Insightful)
"To help its hundreds of millions of users prevent unauthorized access to their accounts..."
Gee, that's nice Farcebook. Now, what exactly are you going to do about your privacy policies that change with the wind, forcing users to constantly monitor their settings to prevent "authorized" access?
Hard to feel safe in the car when you don't trust the driver no matter how many seat belts you have on.
Facebook adds mobile phone number capture (Score:2)
So Facebook gets to ask it's unsuspecting users for their mobile phone numbers in addition to the other data they now spew out into the eager hands of crackers and marketeers?
Sweet.
Facebook stupidity.. (Score:3, Insightful)
"we will text your phone."
Because our admins are too stupid to remember that in the USA it costs money to receive text messages and not everyone is a tween that has unlimited texting on their phones K?
Re:Facebook stupidity.. (Score:5, Insightful)
So would it be better for them not to implement it at all because you don't want to use it?
Lots of people 1) don't live in the US, and therefore doesn't pay for incoming SMS, 2) have SMS packages or 3) don't mind paying, since it's not for every login but only when a new device is used.
If you don't want to use it, nobody forces you to.
Re: (Score:2)
Email is free to 99.997831% of the world. and "GASP" most smartphones have a data plan required but not the $30.00 a month TXT UR FRNDS plan. Plus email allows those that dont have a cellphone to do it as well.
It's called thinking a plan through so that the largest segment can access the feature.
Re:Facebook stupidity.. (Score:4, Informative)
Largest segment? You do know that the vast majority of the world, including the US, still uses more feature phones than smartphones?
Not to mention that for most people if you know they're FB password you can probably access their email too; from password reuse to finding their secret answer (like your candidate for vicepresident), it's almost useless as a second authentication mechanism.
And you don't need a $30/month plan to receive one SMS a month, if that. How many times do you realistically use FB from a new device?
Re: (Score:2)
And now I've noticed the "they're/their" error and I'm kicking myself.
Re: (Score:2)
They already have email access. In fact, their FAQ states that if your phone is b0rked you can authorize a new computer through an email process.
Besides, if you're logging on to Facebook through a new computer, maybe you don't want to pull up your email on the same new computer? Not everyone has webmail, you know. Besides, that also removes one of the two factors - instead of a password and a device, you now need two passwords. Very different.
Re: (Score:2)
Yes, it's definitively just as easy for the user to buy, associate with his FB account and carry around everywhere a physical fob - that most people have never heard about and at least 30% will have trouble understanding - because (s)he might want to login to Facebook from another device than it is to simply input a phone number, spend $0 and carry no extra device at all.
And it's just as easy for Facebook to have deal with helping millions of people to buy and use a strange device than simply getting a bulk
Re:Facebook stupidity.. (Score:5, Insightful)
I have to say - paying to receive SMS is possibly the most stupid thing I've ever heard anyone agree to. It was back when mobile phones first came out and still is now.
The problem is not Facebook there - the problem is people who tolerate a stupid system where you can end up paying for something you never asked for.
Re:Facebook stupidity.. (Score:4, Insightful)
Ok, wise guy; what are we supposed to do about it? There are only four carriers in the US, and they all charge for receiving text messages. Obviously, you only have two options: either not own a cellphone, or to start your own carrier. Not owning a cellphone does not hurt the carrier, since they have plenty of other customers who don't mind paying for text messages, or just can't live without a cellphone. No carrier will miss you. They will, in fact, want you to leave, since you are a cheapskate who does not make them money by signing up for an expensive monthly contract. Heck, you probably use prepaid, which is not making them any money at all! Your other option of starting your own carrier is not viable due to lack of capital. You'll need to build a few million cell towers, since if you just rent from the existing carriers you'll have to conform to their pricing plans or lose money. Who will lend you the money? Nobody. So, as you can see, we're all pretty much screwed and can do nothing about it.
Re: (Score:2, Interesting)
I e-mailed Sprint and told them I didn't want to pay for texts, since I only receive a few a month. To summarize, they replied "No problem, we'll put you down for 200 free texts a month. Is that all you need, or can we help you with something else?". I was shocked, but service like that will retain me as a customer. I went so far as to write a response to commend them for it.
But I guess your way works too: do nothing. Can't be disappointed if you never try, right?
Re: (Score:3)
Ok, wise guy; what are we supposed to do about it?
Google Voice, as one option, and I'm pretty sure there are others. From my POV, paying for texting is like getting your TV from a company that wants $80/month: quaint, but unnecessary.
Re: (Score:2)
Re: (Score:2)
Well, for starters you could *gasp* forbid the operators through legislation from charging for received messages...
Re: (Score:2)
There are only four carriers in the US, and they all charge for receiving text messages
Soon to be three as AT&T digests T-Mobile. This SMS payment problem is only going to get worse (AT&T recently removed it's lowest tier of SMS plans and now you pay $10/mo for 1000 or $.20 a message for ad-hoc).
Re: (Score:2)
Why no email option? (Score:3)
Is there a valid reason for not offering the same service via email? Using, you know, the email address that facebook already has on record.
Re: (Score:1)
In that case, why would you want to be logged in from said untrusted computer in the first place?
Ah, the illusion (Score:2)
Yeah, we have two factor authentication. Don't worry, your account is safe. Nobody can access it except you, and us, and some of it from out advertisers, but nothing to worry about. Now give us more information we can sell.
Love
Facebook.
lol (Score:3)
they immediately publish your cell # (Score:4, Informative)
Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.
Thanks Facebook! (i immediately removed it and disabled the feature)
Re: (Score:2)
Google voice doesn't work because it doesn't have an SMS gateway. Since I have the same problem, I emailed Facebook and suggested that they consider supporting sending one-time-passwords via email instead of only by SMS. It's almost as secure as receiving an SMS, especially if your email account also has 2-factor security, and doesn't cost a dime.
Re: (Score:1)
I went into the profile editor, blanked out the mobile number, and saved it. It seemed to accept that, but the SMS 2-factor auth still works. Who knows if it will stay that way....
Re: (Score:2)
Worth noting - when you supply a phone number (btw, my Google Voice number didn't work at all for this.. had to use my actual mobile #).. they immediately publish it on your profile.
Thanks Facebook! (i immediately removed it and disabled the feature)
And then you can modify your privacy settings so that contact info is not viewable by any users other than you......
Simpsons memory (Score:2)
Re: (Score:2)
As long as I can click on a link and give an app the ability to write on my wall as me, with no explicit permissions to do so, I don't think extra password security is all that meaningful.
You clicked. What further permission do they need?
Re: (Score:2)
AdBlock Plus (Score:2)
||facebook.com^$third-party,domain=~fbcdn.net,domain=~facebook.com
||facebook.net^$third-party,domain=~facebook.com,domain=~fbcdn.net
||fbcdn.net^$third-party,domain=~facebook.com,domain=~facebook.net
Re: (Score:2)
In all fairness, you clicked on a link which caused a big popup window to appear stating, "{APPNAME} wants to learn about all your stuff, and your friends, and write on your wall, before showing you what kind of beaver mustache you are. Mmmmkay?" to which you had to very explicitly say "APPROVE!!!" Its not like they're making it a big secret. How would you handle it, exactly?
Authority (Score:2)
Two factor login?
Q1: We will trawl your personal data to sell to advertisers, log in here...
Q2: Are you sure you want your details to be sold to advertisers? Log in here...
what if you never log out? (Score:2)
2 factor is useless if you never log the hell out of facebook. I just want my flippin session to timeout after 30 min >_>
Re: (Score:2)
Why? You leave your computer unattended and unlocked where other people might be able to use it?
Texting? (Score:1)
Something fishy here (Score:1)
From the article:
Even interns like myself are tasked with big projects to help improve account security. Instead of working on mundane tasks and simple problems, interns are given high-impact assignments that reach out to hundreds of millions users every time they use Facebook.
They tasked an INTERN with security?!?
Brilliant move to further ruin your privacy.. (Score:2)
The covert threat is: you either submit your mobile phone number or we will not protect you anymore.
I keep the details I hand to FB to an absolute minimum, and my phone numebr is certainly not going to be added. The problem I see is that I have no way to disable SMS spam, so once FB decided to resell data again I might as well get a new number (with all the associated costs).
It would be smarter if they finally implemented OpenID support, because you can then simply choose the service that you deem safest.
I'd Rather Google (Score:1)
FFS (Score:1)
Screw Failbook (Score:2)