Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Facebook Encryption Security IT Technology

Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication (thenextweb.com) 75

Facebook today unveiled a new feature to let its 1.79 billion users reset passwords for other websites using its platform, an effort to further entrench the social network in people's digital lives. From a report: Delegated Recovery, as it's being called, looks to be a step forward for those afraid of losing their devices when using two-factor authentication (2FA) -- which, should be most of us. The security feature addresses the common concern of losing the device tied to your account. With Delegated Recovery, Facebook lets users set up an encrypted recovery token for sites like GitHub, and stores it at Facebook. If you lose the login information for GitHub, you'd simply log in to Facebook and send the stored token to the site to prove your identity and regain access. The token is encrypted, and Facebook can't access the information stored on it. Facebook also promises not to share it with third-party websites (aside from those you authorize).
This discussion has been archived. No new comments can be posted.

Facebook's New Tool Looks To Replace Traditional Two-Factor Authentication

Comments Filter:
  • Wont Share (Score:3, Insightful)

    by Anonymous Coward on Monday January 30, 2017 @03:50PM (#53768727)

    Fakebook wont share it unless the gov makes them.

  • by QuietLagoon ( 813062 ) on Monday January 30, 2017 @03:51PM (#53768737)
    Not increase it. There is NO WAY I'd link Facebook in with any security process I have or use. NO WAY .
    • *NO F@CKING WAY!!!

    • Why would I have an intrusive social media platform be the gatekeeper for my recovery stuff? Too many eggs in one basket, and FB is many things, but they really don't have independent certification as a security provider.

      My recovery tools for 2FA stuff is a printout of Google Authenticator codes stashed in my floor safe, and my iPod Touch.

    • And yet Facebook knows more about you than any other service making it possibly the best repository of information you know that you could use to definitively identify who you are.

      In the mean time everyone I know knows my cat's name, so there goes my banking security.

    • Comment removed based on user account deletion
  • A Facebook promise? (Score:5, Interesting)

    by QuietLagoon ( 813062 ) on Monday January 30, 2017 @03:54PM (#53768759)

    ...Facebook also promises not to share it with third-party websites...

    That sounds like a marketing interpretation of a privacy policy that probably is as leaky as a sieve.

  • by Anonymous Coward

    Really? Facebook is just providing this service with no upside to themselves? I'm not buying it.

    • by PCM2 ( 4486 )

      Eh, the catch is that you need to have an active Facebook account. That's obvious, right? No need to go looking for some devious motive when the upside is staring you right in the face.

  • by daninaustin ( 985354 ) on Monday January 30, 2017 @03:59PM (#53768799)
    It's too easy to get you facebook account deleted or locked out for it to be useful for this.
    • by dgatwood ( 11270 ) on Monday January 30, 2017 @04:25PM (#53768985) Homepage Journal

      Even ignoring that problem, at a glance, it seems like there are so many problems with that idea that I almost don't know where to begin. It assumes we trust Facebook to keep the token secure (we don't). It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes). And so on.

      A better solution is to add your home phone and office phone as alternate second factors.

      • Or a U2F key in a secure location (like a safe deposit box).

      • It means that if somebody hacks your Facebook account, now they have access to all your accounts (yikes)

        For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.

        • by nasch ( 598556 )

          For similar reasons, I'm still not sold on the idea of cloud-based password managers. That seems like a problem just waiting to happen.

          If you have a highly secure password/passphrase, which you really should, what's the risk? Unless the encryption is not as good as I've been led to believe, it's not hard to make a password that would take hundreds to thousands of years to crack with current technology. Change your master password every ten or twenty years and you should be OK even if someone gets hold of your encrypted password storage.

          • I am suspicious of the notion that "The Cloud" is automatically superior in every way. I've seen the arguments that cloud services typically have high availability, are managed by smart teams, are accessible from everywhere. But the people saying this are likely IT pros doing the grunt work.

            I don't trust the company itself not to get sold and change the terms of service, go POOF!, or turn back every single cracking attempt (the bad guys only need to succeed ONCE). If I host my own password manager it is ent

            • by nasch ( 598556 )

              I suppose it depends on the cloud service. You can never be certain it's going to remain available forever; as you say companies and services come and go. I think you can tell from reviews whether the quality of a service is good. And services that work like LastPass (which is the one I'm familiar with) don't require access all the time anyway. There's a copy of the vault on whatever device you installed it on, and it just uses that, and the cloud is for synchronization. What happens if their service g

    • It's too easy to get you facebook account deleted or locked out for it to be useful for this.

      But is it really? I mean the only people I know of who get their account deleted or locked out are trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.

      • >> It's too easy to get you facebook account deleted or locked out for it to be useful for this.

        > But is it really? I mean the only people I know of who get their account deleted or locked out are
        > trolls, SJWs, activists, and people who just plain shit on their terms of service for shits and giggles.

        Blame the victim, why don't you. Read this horror story... https://thenextweb.com/faceboo... [thenextweb.com]

        Guy mysteriously gets his account disabled and is forbidden from creating a new one. This is straight out

  • by Anonymous Coward

    Facebook is getting into aspects which a social networking service has little business being involved in. A while back somehow a family members account became locked, to get it back up and running they were requiring photo ID. Its social contact website not a bank account.

  • "Facebook also promises not to share it with third-party websites (aside from those you authorize)." What this will turn out to mean is that you can't get access to the features and anything useful on 3rd party websites unless you authorize them access to your account.
  • I mean it was the exact next story after this one on the front page. And I'm supposed to *rely* on this service to gain access to lost 2FA tokens somehow?

    And since when do I trust Facebook with anything? I hardly trust them to keep the privacy settings where I put them.

  • "Facebook promises" (Score:4, Interesting)

    by vvaduva ( 859950 ) on Monday January 30, 2017 @04:09PM (#53768871)

    Facebook also promises not to share it with third-party websites (aside from those you authorize)

    lolz. I am sure the NSA will love this shit.

  • by rwven ( 663186 )

    The best way to avoid this problem is to use SMS for 2 factor authentication. Almost all common services support it, and if you lose your phone, a new phone will work just as well.

    • SMS is almost as insecure as Facebook itself.

      • by rwven ( 663186 )

        If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.

        • by tlhIngan ( 30335 )

          If it's so terrible it certainly hasn't assuaged Google, Github, and a huge number of other big services from using it. Many of they are still ADDING support for it. If you're afraid of the government pretty much nothing is going to stop them. If you're just looking for general "good security," SMS will work fine.

          The problem with SMS is well, you're assuming a person has a phone which has a phone number.

          NIST wrote guidelines against it because a "phone has a phone number" is no longer accurate. A phone numb

  • Why would I trust Facebook with this instead of just buying a YubiKey? Is there somewhere the YubiKey won't work and this would?

    • by kqs ( 1038910 )

      It sounds like this doesn't replace TFA, it complements it. It is an attempted solution for "what do you do when you lose/damage your yubikey?"

      We can argue about whether or not this is a good solution (my guess is that it is fine for most people, but not for security professionals), but there is no doubt that it is trying to solve a real problem (just not the one in the headline).

      • I have LastPass, which I access from 3 of my devices. Why would that be inadequate?
        • by kqs ( 1038910 )

          Why would Lastpass be inadequate? Lastpass is also a fine solution, as long as you store a manual replacement for your TFA there in a secure note. Its more complex than Facebook's system, but does far more.

          Anything which make TFA easier is a good thing. Facebook is solving one TFA problem. U2F [wikipedia.org] solves some different problems. Lastpass solves a slightly different set of problems. Bad security is easy, good security is hard and will get harder as long as criminals exist.

  • Does anyone else see this as a honeypot for <Insert your favorite state run organization here> to gain access to all your accounts?
  • And nothing is better than not even being on Facebook. Avoid it at all costs if you can.
  • If only they had waited two months more before posting TFA it would have been worth reading.

  • Do I even need to bother with a list?

  • I have 2FA key fob from Schwab and Vanguard for my account with decent balance. If I lose it, I need to call the 800 number and go through some verification and then a new key fob will arrive by mail, or so they promise me. I might not be able trade during part of that period but otherwise why would one eschew 2FA itself for the fear of losing the key fob.

    My concern was not losing it, but how to make it work with Quicken.

  • 2FA is used for logging in. Delagated Recovery is used for account recovery. How can one replace the other?
  • The token is encrypted, says Facebook. But how does one decipher it in order to use it? By sending a passphrase to Facebook? Better not forget it.

    Or perhaps they mean it is an opaque reference but it can be used as is. A kind of cookie, if you prefer.

  • I guess I just don't get it. I have a password. It's a password. Is it somehow difficult to remember my password? So difficult that I need Facebook to store something for me?

    Riddle me this: what's wrong with the sticky note on my desk? Or the piece of paper in my drawer? Or the notepad in my safe-deposit box?

    Is this for people who have zero experience being responsible for anything? Can't store your own shit, need someone else to store it for you?

    Sounds like this is absolutely nothing more than two p

I cannot conceive that anybody will require multiplications at the rate of 40,000 or even 4,000 per hour ... -- F. H. Wales (1936)

Working...