Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication (thenextweb.com) 75
Facebook today unveiled a new feature to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people's digital lives. From a report: Delegated Recovery, as it's being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) -- which, should be most of us. The security feature addresses the common concern of losing the device tied to your account. With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you'd simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).
Wont Share (Score:3, Insightful)
Fakebook wont share it unless the gov makes them.
I'm looking to reduce Facebook in my life (Score:5, Insightful)
Re: (Score:2)
*NO F@CKING WAY!!!
Re: (Score:1)
Why would I have an intrusive social media platform be the gatekeeper for my recovery stuff? Too many eggs in one basket, and FB is many things, but they really don't have independent certification as a security provider.
My recovery tools for 2FA stuff is a printout of Google Authenticator codes stashed in my floor safe, and my iPod Touch.
Re: (Score:2)
And yet Facebook knows more about you than any other service making it possibly the best repository of information you know that you could use to definitively identify who you are.
In the mean time everyone I know knows my cat's name, so there goes my banking security.
Re: (Score:2)
A Facebook promise? (Score:5, Interesting)
...Facebook also promises not to share it with third-party websites...
That sounds like a marketing interpretation of a privacy policy that probably is as leaky as a sieve.
Re:A Facebook promise? (Score:5, Interesting)
Well technically 3rd party companies aren't third party websites although they may operate websites. And of course government agencies aren't websites either...
Re: (Score:1)
Oh come on. That's not fair. A sieve at least partial obstructs a flow.
what's the catch (Score:1)
Really? Facebook is just providing this service with no upside to themselves? I'm not buying it.
Re: (Score:2)
Eh, the catch is that you need to have an active Facebook account. That's obvious, right? No need to go looking for some devious motive when the upside is staring you right in the face.
They delete and lock accounts too often (Score:3)
Re:They delete and lock accounts too often (Score:4, Insightful)
Even ignoring that problem, at a glance, it seems like there are so many problems with that idea that I almost don't know where to begin. It assumes we trust Facebook to keep the token secure (we don't). It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes). And so on.
A better solution is to add your home phone and office phone as alternate second factors.
Re: (Score:2)
Or a U2F key in a secure location (like a safe deposit box).
Re: (Score:2)
It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes)
For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.
Re: (Score:2)
For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.
If you have a highly secure password/passphrase, which you really should, what's the risk? Unless the encryption is not as good as I've been led to believe, it's not hard to make a password that would take hundreds to thousands of years to crack with current technology. Change your master password every ten or twenty years and you should be OK even if someone gets hold of your encrypted password storage.
Re: (Score:2)
I am suspicious of the notion that "The Cloud" is automatically superior in every way. I've seen the arguments that cloud services typically have high availability, are managed by smart teams, are accessible from everywhere. But the people saying this are likely IT pros doing the grunt work.
I don't trust the company itself not to get sold and change the terms of service, go POOF!, or turn back every single cracking attempt (the bad guys only need to succeed ONCE). If I host my own password manager it is ent
Re: (Score:2)
I suppose it depends on the cloud service. You can never be certain it's going to remain available forever; as you say companies and services come and go. I think you can tell from reviews whether the quality of a service is good. And services that work like LastPass (which is the one I'm familiar with) don't require access all the time anyway. There's a copy of the vault on whatever device you installed it on, and it just uses that, and the cloud is for synchronization. What happens if their service g
Re: (Score:1)
It's too easy to get you facebook account deleted or locked out for it to be useful for this.
But is it really? I mean the only people I know of who get their account deleted or locked out are trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.
Re: (Score:2)
>> It's too easy to get you facebook account deleted or locked out for it to be useful for this.
> But is it really? I mean the only people I know of who get their account deleted or locked out are
> trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.
Blame the victim, why don't you. Read this horror story... https://thenextweb.com/faceboo... [thenextweb.com]
Guy mysteriously gets his account disabled and is forbidden from creating a new one. This is straight out
Too big for their britches (Score:2, Interesting)
Facebook is getting into aspects which a social networking service has little business being involved in. A while back somehow a family members account became locked, to get it back up and running they were requiring photo ID. Its social contact website not a bank account.
I call BS. (Score:2)
"Facebook's Parse Is Shutting Down Today" (Score:2)
I mean it was the exact next story after this one on the front page. And I'm supposed to *rely* on this service to gain access to lost 2FA tokens somehow?
And since when do I trust Facebook with anything? I hardly trust them to keep the privacy settings where I put them.
"Facebook promises" (Score:4, Interesting)
Facebook also promises not to share it with third-party websites (aside from those you authorize)
lolz. I am sure the NSA will love this shit.
Re: (Score:1)
I thought Facebook was funded by the NSA, did Facebook loose their funding?
SMS? (Score:2)
The best way to avoid this problem is to use SMS for 2 factor authentication. Almost all common services support it, and if you lose your phone, a new phone will work just as well.
Re: (Score:2)
SMS is almost as insecure as Facebook itself.
Re: (Score:2)
If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.
Re: (Score:3)
The problem with SMS is well, you're assuming a person has a phone which has a phone number.
NIST wrote guidelines against it because a "phone has a phone number" is no longer accurate. A phone numb
What's the advantage? (Score:2)
Why would I trust Facebook with this instead of just buying a YubiKey? Is there somewhere the YubiKey won't work and this would?
Re: (Score:2)
It sounds like this doesn't replace TFA, it complements it. It is an attempted solution for "what do you do when you lose/damage your yubikey?"
We can argue about whether or not this is a good solution (my guess is that it is fine for most people, but not for security professionals), but there is no doubt that it is trying to solve a real problem (just not the one in the headline).
Re: (Score:2)
Re: (Score:2)
Why would Lastpass be inadequate? Lastpass is also a fine solution, as long as you store a manual replacement for your TFA there in a secure note. Its more complex than Facebook's system, but does far more.
Anything which make TFA easier is a good thing. Facebook is solving one TFA problem. U2F [wikipedia.org] solves some different problems. Lastpass solves a slightly different set of problems. Bad security is easy, good security is hard and will get harder as long as criminals exist.
Honeypot (Score:1)
Delegated vs Federated logins (Score:1)
Nothing will replace your sanity (Score:1)
April 1st only 61 days away (Score:2)
If only they had waited two months more before posting TFA it would have been worth reading.
What could possibly go wrong? (Score:2)
Do I even need to bother with a list?
Why is it a concern? (Score:2)
My concern was not losing it, but how to make it work with Quicken.
Wrong (Score:2)
Re: (Score:2)
Just what I was wondering.
Encrypted token (Score:2)
The token is encrypted, says Facebook. But how does one decipher it in order to use it? By sending a passphrase to Facebook? Better not forget it.
Or perhaps they mean it is an opaque reference but it can be used as is. A kind of cookie, if you prefer.
I'm sorry, what's hard? (Score:2)
I guess I just don't get it. I have a password. It's a password. Is it somehow difficult to remember my password? So difficult that I need Facebook to store something for me?
Riddle me this: what's wrong with the sticky note on my desk? Or the piece of paper in my drawer? Or the notepad in my safe-deposit box?
Is this for people who have zero experience being responsible for anything? Can't store your own shit, need someone else to store it for you?
Sounds like this is absolutely nothing more than two p