
Security Key for safer logins with a touch - ta_dhee
https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-with-a-touch/10154125089265766
======
grandsham
I am slightly disappointed that this doesn't work in Firefox, despite the fact
that I have an add-on[1] installed to add U2F support. Github for instance is
able to detect U2F support and let me use it.

That said, I understand the lack of support since I am an extremely small
niche, and this did prompt me to finally add 2FA to facebook (U2F and code
generation from my Yubikey Neo)

[1] [https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-a...](https://addons.mozilla.org/en-
US/firefox/addon/u2f-support-add-on/?src=api)

~~~
artursapek
I don't understand how it has taken them so long to add it natively... they
just shipped FLAC audio support but still don't care about U2F?

~~~
cesarb
FLAC audio support is simpler, it's just adding a self-contained FLAC decoding
library, and wiring it to the already-existing audio code.

For U2F, they have to write code to interact with the operating system USB API
(for each operating system), plus the main U2F code, plus a Javascript API,
all while taking care to not cause any new privacy leaks or worse.

If you want to follow, the main bugzilla item seems to be this one:
[https://bugzilla.mozilla.org/showdependencytree.cgi?id=10657...](https://bugzilla.mozilla.org/showdependencytree.cgi?id=1065729&hide_resolved=0)

~~~
baq
holy crap.

    
    
       Reported:	2014-09-10 16:07 PDT by Axel Nennker
       Modified:	2017-01-26 08:24 PST (History)
       CC List:	419 users (show)

~~~
mtgx
Yeah, Google implemented it in Chrome in 2014...I guess it's just not a high
priority for Mozilla right now.

------
batuhanicoz
I wish Facebook brings something similar to the Instagram.

I recently got hacked and lost my account and my first name username for
good[0]. They don't even allow 2 factor auth on accounts with low followers
there.

[0] [https://medium.com/@batuhan/i-got-hacked-and-i-dont-think-
in...](https://medium.com/@batuhan/i-got-hacked-and-i-dont-think-instagram-
cares-fe4160364ef1)

~~~
jacurtis
Same exact thing happened to me on Instagram. Which is crazy to me, its really
the first time I was hacked, as I usually am very careful with passwords and
security. I used 2FA and password managers and so forth.

------
amluto
Shameless plug: if you want this to work on Linux without diddling the device
node permissions, install this:

[https://github.com/amluto/u2f-hidraw-
policy](https://github.com/amluto/u2f-hidraw-policy)

I need to get around to integrating this with upstream udev so it can stop
being needed as a standalone project.

~~~
bluecmd
Or the Yubico official
[https://developers.yubico.com/libu2f-host/](https://developers.yubico.com/libu2f-host/)
\- that will do the same

~~~
amluto
My version is waaaay better.

No, really, it is. Theirs is a little list of known U2F devices from known U2F
device vendors. Mine actually detects the the device is a U2F device
regardless of its make and model. As far as I know, Yubico _wrote_ that spec,
so I'm a bit surprised they didn't implement it in the udev rule.

~~~
nickik
Try to upstream this. That would be cool, because I use the information by
Yubikey atm.

------
DINKDINK
Happy to see Facebook finally supporting U2F but haven't assessed how robust
their implementation is.

Another U2F hardware key is the Trezor bitcoin hardware wallet (
[https://blog.trezor.io/secure-two-factor-authentication-
with...](https://blog.trezor.io/secure-two-factor-authentication-with-
trezor-u2f-e940fd5a60af#.j8z0lkgvf) ) which has the added benefit that you can
backup all your U2F private keys. I'm not aware of how you could do this with
a Yubico U2F key -- if someone knows, please enlighten me.

~~~
lisper
If you are concerned about the implementation, here is a security token you
can flash yourself:

[https://sc4.us/hsm/index.html](https://sc4.us/hsm/index.html)

(Full disclosure: this is my company.)

~~~
aftbit
This is pretty exciting, but it looks like your user manual has not been
updated in 8 months. What are you working on these days?

~~~
lisper
I'm still working on it, but it's a one-man company at the moment and I have
more than one product so I'm spread pretty thin. But yes, I need to update the
manual at the very least to mention that it now supports U2F. Thanks for
pointing that out.

------
pacaro
This is great forward progress, I much prefer U2F where available. I hadn't
even realized that FB supported 2fa, so I just tried to set it up on my
iPhone, and either automatically or manually cannot get a test code to work.
This tends to reduce my confidence in any other aspect of their implementation

~~~
_joel
The 2FA code generation has always worked perfectly for me for the past year
(or two?) that I've had it enabled

~~~
pacaro
I have to admit to being quite startled. But I just get "Security code was
invalid. Please try again". I've tried again several times. I'll see if
setting it up on the website works.

~~~
pacaro
FWIW I could successfully configure 2fa on the desktop, which works fine on
mobile,

~~~
_joel
Cool, glad it worked

------
AdmiralAsshat
I'm happy with Authy and TOTP, for the moment. Getting a YubiKey has been on
my to-do list for awhile, but I'm not sure that everything I currently have
2FA for will accept it. In which case, I don't like the idea of half-migrating
to Yubikey while still having to keep Authenticator around.

~~~
nickik
You can use your Yubikey + Yubico Authenticater to replace Authy. It does not
add that much security, but you add device switch ability without Cloud Sync.

~~~
edraferi
I had a lot of problems with Yubico Authenticator. Wound up switching back to
a generic app.

~~~
nickik
What problems? I used to not have any, but since a short time it has issues
with unlocking when I get NFC connection. I have to restart it sometimes.

~~~
edraferi
Yeah the NFC on my Yubico has burnt out. Or something. Regardless, Yubico
Authenticator just flat-out didn't work for me. I got it running, loaded some
codes, and then the codes didn't work again. It was like it lost
synchronization with the server clock or something. I had the same issues on
Android and MacOS. Maybe I could have sorted it, but I lost interest before
finding a definitive fix.

------
draw_down
We started using these for internal services and Google accounts where I work.
It's unfortunately a big pain in the butt- you can't use Safari, you can't use
the Mac/iPhone calendar app to see your meetings. It's web apps in Chrome or
nothing, more or less.

The one type of key supposedly uses Bluetooth, but that functionality isn't
built yet or something, so you get to carry around a little 4-inch microUSB
cord with you everywhere you go, and connect that every single time you hit a
2FA prompt. At least the Yubikeys have a USB connector built into them.

~~~
tptacek
Huh? I use the Google applications --- and, particularly, their calendar ---
all the time without using Chrome, and U2F is my first-priority 2FA mechanism.
You can mint static random application keys for your native applications, and
use TOTP as a backup for when you want to use a different browser (really,
though, you _should_ use Chrome as much as you can; it's significantly more
secure).

~~~
draw_down
For some reason application passwords don't seem to work according to everyone
who tried. I don't really know what TOTP is or how all of this is configured,
that's the domain of our security team. I don't really know what you mean
about Google apps, I just want to use the calendar app on my Mac and iPhone to
see my meetings but I can't. I asked them about it and they confirmed to me
that I should use the Google Calendar web app in Chrome.

Using a web app on my Mac isn't the end of the world, but I can't see my
meetings on my phone in any type of way, and I'm already missing them
sometimes because the little notification on the phone is what reminds me that
I have a meeting to go to.

~~~
nickik
In the Google security setting you can create new App-Passwords, use those in
your Apple Mail or whatever. It should work fine.

~~~
draw_down
If only a comment on Hacker News saying something should work made it so :)

~~~
nickik
Well you said yourself that you are not an expert. I encourage you to actually
play around with the settings a litte. I have used it multible times in
different context and it has worked like a charm every time.

So maybe if you spend some time on it, you can make it work.

------
forgottenpass
I've been a big fan of yubikeys for years, but I'd never use mine for
something like Facebook.

I work in computer security, so I know this sounds crazy. But my brain has
been rewired to work in failure modes by the not-security domain I happen to
do security stuff in.

The obvious argument for TFA is to reduce the chances that my Facebook account
is subject to the bad consequences of that come from a compromised Facebook
account.

I'd much rather they reduce or eliminate the severity of the failure mode in
the first place. TFA is only a mitigation that reduces the likelihood of
account compromise. It shouldn't be possible for someone who swipes my yubikey
to do any more than cause a minor social annoyance.

Unfortunately the presence of the mitigation (TFA) will - if adopted to
significant numbers - combine with Facebook's other incentives to produce more
severe failure effects for account compromise.

Remember back when facebook was still in it's just-college phase? And dicking
around on your friend's facebook account if they left their computer unlocked
was normal? And when you saw someone acting unusual, you sorta assumed someone
was messing with their account? Yeah, I don't want a compromise of my facebook
account to ever be more severe than it was back then.

~~~
CaveTech
I don't think I follow your reasoning of how increased security increases the
severity of a compromise. Can you elaborate on that?

~~~
OJFord
If my network knows that I use PGP to login, they may well accept an
(illegitimate) announcement that I'm changing my keys to {attacker-
generated.asc}.

Of course, really such a login key should only be able to authenticate, and my
network should only accept a proper revocation certificate that would need to
have been generated by a different key with the 'Certify' action enabled.

How likely or damaging that is obviously depends a lot on who you are, and
probably wouldn't be for many people at all. But I assume that's the sort of
thing your parent commenter is alluding to.

------
erelde
Tangent comment:
[https://i.imgur.com/Xm1qRI4.png](https://i.imgur.com/Xm1qRI4.png)

Does anybody know why the comments under this post are like that, at least for
me? Is there a particular reason why people from Myanmar (some with latin
name?) would comment this much more than any other?

~~~
biot
Probably this:
[https://www.youtube.com/watch?v=oVfHeWTKjag](https://www.youtube.com/watch?v=oVfHeWTKjag)

~~~
re
That video doesn't seem particularly relevant to the question; it talks about
fake likes, but makes the point that those fake users _don 't_ engage with the
content at all.

~~~
erelde
It's from 2014. Fake likes could also do fake comments now, it's also a metric
used for engagement.

------
transfire
Looks like a logistical nightmare to me. You think forgetting a password is a
pain in the ass, just wait until you loose your security key. It won't be one
service you have to reset through an alternate verification route, but every
single one you ever used! I also foresee potential issues with data corruption
on keys, and multiple-keys getting out of sync (e.g. work vs home). And I have
no doubt that clever hackers will find ways to get the codes off those keys
(they will be plugged into a computer all the time and at the very least even
the most cautious are susceptible to phishing). Also, it just doesn't seem as
secure as an SMS code b/c the SMS code doesn't exist but for a short window of
time and is transmitted by a completely separate communications channel -- but
I suppose that's also why the big companies want to get rid of it, SMS costs
more money.

The more I think about it, it seems to me that the Internet itself really
needs to be a two-channel system. If communication has two separate physical
channels then it becomes much easier to ensure security.

~~~
eeZah7Ux
That's why you buy two keys. No, they don't have anything to "sync".

~~~
unknownsavage
One issue with buying two keys is they internally have different keys, so you
need to connect both to each new account which is a pain in the ass and stops
you just keeping one somewhere very safe (i.e. safety deposit box, or a safe
at a friends house)

~~~
nickik
Hopefully this will be addressed in FIDO 2.0. That is the goal at least.

------
cesarb
Last time I looked at Facebook 2FA, it didn't allow you to enable it unless
you had a browser with old enough cookies from Facebook, which is not possible
if you configure your browser to clear all cookies on exit (and close the
whole browser at least once a day). Is that still the case?

~~~
gst
I've used Facebook 2FA for quite a long time now and all of my browsers are
configured to clear cookies on exit (and to disallow 3rd party cookies).
Didn't have any issues with activating 2FA.

------
nickik
As a huge fan of U2F I really love this. I don't use Facebook, but we are
starting to cover more and more of the internet. Facebook, Google, Dropbox are
huge.

I would like to see UAF also get some more love.

------
mtgx
Does it rely on SMS as backup, though?

~~~
james_pm
I had SMS as my backup and in testing this morning, FB sends the SMS by
default, even before you either tap the key or say you want to use another
method (like SMS).

That's a big flaw to me. It should only send the SMS if I specifically say,
"Use my backup SMS method". I switched to use an authenticator app instead as
a result.

~~~
tptacek
I'm not sure I see the security advantage to opt-in SMS over opt-out SMS (both
are bad). If the button exists to override the hardware token with a text
message, the attacker will simply push the button after hijacking your phone
number.

~~~
james_pm
True that. More of an annoyance then with my phone lighting up with an SMS
notification that I didn't need. Reminded me to disable SMS 2FA and stick with
the authenticator app.

------
greggman
And yet I'm told by other security minded people I should epoxy over my USB
ports.

So which is it?

~~~
modeless
Use a Yubikey Nano. You could easily epoxy it in place.

... but physical access is game over no matter how much epoxy you use.

