Security Key for safer logins with a touch (facebook.com)
I've been a big fan of yubikeys for years, but I'd never use mine for something like Facebook.

I work in computer security, so I know this sounds crazy. But my brain has been rewired to work in failure modes by the not-security domain I happen to do security stuff in.

The obvious argument for TFA is to reduce the chances that my Facebook account is subject to the bad consequences of that come from a compromised Facebook account.

I'd much rather they reduce or eliminate the severity of the failure effect in the first place. TFA is only a mitigation that reduces the likelihood of account compromise. It shouldn't be possible for someone who swipes my yubikey to do any more than cause a minor social annoyance.

Unfortunately the presence of the mitigation (TFA) will - if adopted to significant numbers - combine with Facebook's other incentives to produce more severe failure effects for account compromise.

Remember back when facebook was still in it's just-college phase? And dicking around on your friend's facebook account if the left their computer unlocked was normal? And when you saw someone acting unusual, you sorta assumed someone was messing with their account? Yeah, I don't want a compromise of my facebook account to ever be more severe than it was back then.

I am slightly disappointed that this doesn't work in Firefox, despite the fact that I have an add-on[1] installed to add U2F support. Github for instance is able to detect U2F support and let me use it.

That said, I understand the lack of support since I am an extremely small niche, and this did prompt me to finally add 2FA to facebook (U2F and code generation from my Yubikey Neo)

[1] https://addons.mozilla.org/en-US/firefox/addon/u2f-support-a...

I don't understand how it has taken them so long to add it natively... they just shipped FLAC audio support but still don't care about U2F?

FLAC audio support is simpler, it's just adding a self-contained FLAC decoding library, and wiring it to the already-existing audio code.

For U2F, they have to write code to interact with the operating system USB API (for each operating system), plus the main U2F code, plus a Javascript API, all while taking care to not cause any new privacy leaks or worse.

If you want to follow, the main bugzilla item seems to be this one: https://bugzilla.mozilla.org/showdependencytree.cgi?id=10657...

Barring unforeseen complications, U2F support should land in stable Firefox this year.

The tree of bugs to follow is rooted at https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

Because the general public cares far less about account security than you or me might. If you were to ask a person on the street if they used 2FA on Facebook, their reaction would be either "no" or "what the hell is that?", let alone talking about U2F.

When your users don't really care, your priorities shift down.

Last time I looked at Facebook 2FA, it didn't allow you to enable it unless you had a browser with old enough cookies from Facebook, which is not possible if you configure your browser to clear all cookies on exit (and close the whole browser at least once a day). Is that still the case?

This is great forward progress, I much prefer U2F where available. I hadn't even realized that FB supported 2fa, so I just tried to set it up on my iPhone, and either automatically or manually cannot get a test code to work. This tends to reduce my confidence in any other aspect of their implementation

The 2FA code generation has always worked perfectly for me for the past year (or two?) that I've had it enabled

I have to admit to being quite startled. But I just get "Security code was invalid. Please try again". I've tried again several times. I'll see if setting it up on the website works.

counter-anecdote: I've had zero issues with FB 2FA and I'm pretty sure many, if not all (I would hope it's an internal policy, but idk...) FB employees have it enabled, so it'd be pretty difficult for them to not notice serious issues with the use of their implementation (as your post suggests exist).

Happy to see Facebook finally supporting U2F but haven't assessed how robust their implementation is.

Another U2F hardware key is the Trezor bitcoin hardware wallet ( https://blog.trezor.io/secure-two-factor-authentication-with... ) which has the added benefit that you can backup all your U2F private keys. I'm not aware of how you could do this with a Yubico U2F key -- if someone knows, please enlighten me.

If you are concerned about the implementation, here is a security token you can flash yourself:

https://sc4.us/hsm/index.html

(Full disclosure: this is my company.)

This is pretty exciting, but it looks like your user manual has not been updated in 8 months. What are you working on these days?

W.r.t yubico u2f you don't backup it you just register to or more tokens that work as backup keys.

I'm happy with Authy and TOTP, for the moment. Getting a YubiKey has been on my to-do list for awhile, but I'm not sure that everything I currently have 2FA for will accept it. In which case, I don't like the idea of half-migrating to Yubikey while still having to keep Authenticator around.

Does it rely on SMS as backup, though?

I had SMS as my backup and in testing this morning, FB sends the SMS by default, even before you either tap the key or say you want to use another method (like SMS).

That's a big flaw to me. It should only send the SMS if I specifically say, "Use my backup SMS method". I switched to use an authenticator app instead as a result.

It looks like it gives you a choice:

"Security keys for Facebook logins currently only work with certain web browsers and mobile devices, so we'll ask you to also register an additional login approval method, such as your mobile phone or Code Generator"

That looks like a requirement, not a choice.

So as usual, the U2F standard being adopted by companies these days is only as strong as SMS 2FA, because of this requirement.

Can someone tell me what's the point then? Is it that they hope that in the end U2F will get popular enough that they'll remove that requirement? I would hope that's it. Otherwise, I don't see the point.

I wish they at least allowed you to opt-out of the SMS back-up before you even had to give them your number. Of course, we're talking about Facebook here, so they won't waste any opportunity to make it seem like you have no choice but to give them your phone number.

>That looks like a requirement, not a choice.

A requirement to have one backup, which doesn't have to be SMS. It appears to allow a manually pregenerated list of codes, for example. See the ui: https://scontent-dft4-1.xx.fbcdn.net/v/t31.0-8/p720x720/1617...

You can use a TOTP code generator (e.g. Authy) as your backup. No need to rely upon SMS.

