

Facebook introduces Two Factor Authentication - songexe
http://www.facebook.com/note.php?note_id=10150172618258920

======
tuebor
Google, Paypal, World of Warcraft, Mailchimp, etc. have all implemented user-
facing two-factor auth also. It's the easiest way for them to protect against
endpoint insecurity when attackers are going after user credentials en masse.

For any other site looking to implement this, check out our open-source web
SDKs and service at Duo Security:

<http://www.duosecurity.com> <https://github.com/duosecurity>

At the very least, we highly recommend folks use it to protect their own
cloud/datacenter infrastructure, and have made it free to do so (assuming you
have 10 or less admins):

[http://blog.duosecurity.com/2011/04/ssh-keys-that-call-
you-b...](http://blog.duosecurity.com/2011/04/ssh-keys-that-call-you-back/)

We support callback, SMS, mobile apps for 7 platforms, as well as traditional
hardware tokens for online and offline use...

------
2FA
It’s great that Facebook is strengthening security by using two-factor
authentication. People share so much personal information on Facebook that
relying on a single layer of password protection is simply not enough.
However, sending a code by SMS text message is not very secure because they
are sent in clear text. If the user were to lose their phone or have it
stolen, anybody could read that text message and fraudulently authenticate.

More websites need to use two-factor authentication like Facebook is doing,
but a more secure and easier-to-use approach is to send an image-based
authentication challenge to the user’s phone, like Confident Technologies
provides: <http://bit.ly/dMNzB5>. A grid of pictures is displayed on the
user’s smartphone and to authenticate, the user must correctly identify the
pictures that fit their pre-chosen, secret categories. Even if someone else
had possession of your phone, they wouldn’t be able to authenticate because
they wouldn’t know your secret picture categories.

------
adatta02
Interesting point "If you ever lose or forget your phone and have login
approvals turned on, you will still have the option to authorize your login
provided you are accessing your account from a saved device."

In contrast to Google's solution which provides you with a set of fallback
codes.

------
bimbly
Facebook has been aching for my phone number and other details. Do you think
this is security driven or put out as an entryway into greater interaction
with your phone? I should note that I am old school and don't use a smartphone
so that is part of my approach to thinking about this.

------
smackfu
I tried to turn this on and never got the SMS confirmation they send, so I
couldn't turn it on. That is kind of my worry with this kind of thing... if it
doesn't work when you need to login, you are screwed. Why not just have the
Facebook app generate the code?

------
eberfreitas
The guys from MailChimp just created a webapp to enable 2-Factor
Authentication for anyone. It's called AlterEgo <https://alteregoapp.com/>

------
mmalik
Would be curious to hear how their in-house TFA compares to some of the big
enterprise vendors in the market

------
reso
Interns keep kicking ass at Facebook.

------
hammock
This seems to me like just another backdoor way of being able to build a more
robust database of personal information on you. With your mobile number and
the numbers of all your friends, in coordination with the cell carriers (or
NSA, whichever you prefer) they can tie together data about who you call & how
often with your friend activity on Facebook. Google has been doing it too,
asking for a "mobile number backup" when you log into Gmail.

Just the next erosion of our privacy, disguised as a protection of our
privacy.

~~~
reso
Bullshit conspiracy theories. How can something that is opt-in be an erosion
of privacy? By default it is not enabled. Just don't use it and you're fine.

~~~
naner
_Bullshit conspiracy theories._

Hyperbole would be a more apt description.

 _How can something that is opt-in be an erosion of privacy?_

Quite easily. You can choose to use a service without fully understanding the
privacy implications. I don't think we can expect the general public to be
infosec and personal rights experts.

------
sorbus
Given the timing on this, I can't see it as anything but an attempt to
distract from the fiasco currently going on with Facebook hiring a PR firm to
smear Google.

That said, this is a pretty cool feature, and seems to play into Facebook's
ongoing attempt to become the standard for identity on the internet - added
security is a really good thing when your entire identity is tied to a single
service.

~~~
atacrawl
_Given the timing on this, I can't see it as anything but an attempt to
distract from the fiasco currently going on with Facebook hiring a PR firm to
smear Google._

I highly doubt that. The two groups responsible for each probably aren't aware
of what the other party is working on. I don't see Facebook launching a
feature if it isn't ready, nor do I see them holding a feature back that is
ready.

~~~
smackfu
In fact, the article says: "Even interns like myself are tasked with big
projects to help improve account security. Instead of working on mundane tasks
and simple problems, interns are given high-impact assignments that reach out
to hundreds of millions users every time they use Facebook. "

~~~
ceejayoz
Which would seem to explain why Facebook occasionally grinds to a halt for a
few minutes until something gets reverted.

